WO2020220977A1 - Data flow guiding apparatus and data flow guiding method in virtual network - Google Patents

Data flow guiding apparatus and data flow guiding method in virtual network Download PDF

Info

Publication number
WO2020220977A1
WO2020220977A1 PCT/CN2020/084347 CN2020084347W WO2020220977A1 WO 2020220977 A1 WO2020220977 A1 WO 2020220977A1 CN 2020084347 W CN2020084347 W CN 2020084347W WO 2020220977 A1 WO2020220977 A1 WO 2020220977A1
Authority
WO
WIPO (PCT)
Prior art keywords
virtual machine
data
bridge
port
secure
Prior art date
Application number
PCT/CN2020/084347
Other languages
French (fr)
Chinese (zh)
Inventor
巩泉吉
王�华
周栋臣
高超
朱娜
李力军
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2020220977A1 publication Critical patent/WO2020220977A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • H04L12/462LAN interconnection over a bridge based backbone
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/25Routing or path finding in a switch fabric
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/25Routing or path finding in a switch fabric
    • H04L49/252Store and forward routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/25Routing or path finding in a switch fabric
    • H04L49/253Routing or path finding in a switch fabric using establishment or release of connections between ports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/35Switches specially adapted for specific applications
    • H04L49/354Switches specially adapted for specific applications for supporting virtual local area networks [VLAN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]

Definitions

  • This application relates to the technical field of virtual networks, and in particular to a data diversion device and a data diversion method in a virtual network.
  • a virtualized network such as a cloud scene
  • two virtual machines can send data to each other for communication.
  • the data is usually diverted to the security service node before being transferred to the other virtual machine, and the security service node processes the data to monitor the two The security of communication between virtual machines, and the security service node forwards the data to another virtual machine.
  • data can be diverted to the security service node through a virtual gateway.
  • virtual machine A when virtual machine A needs to send data to virtual machine B, virtual machine A first sends the data to virtual gateway A of the virtual local area network (virtual extensible LAN, VxLAN) where virtual machine A is located. Encapsulation is performed, and the destination address carried in the encapsulated data is the address of the security service node.
  • the security service node receives the encapsulated data, the data is obtained after decapsulation, so that the data can be subsequently processed.
  • the security service node re-encapsulates the data after decapsulating the data.
  • the destination address carried in the encapsulated data is the address of virtual gateway B in the virtual local area network where virtual machine B is located, and virtual gateway B finally Send the data to virtual machine B.
  • data can also be channeled to the security service node by means of memory transfer.
  • virtual machine A when virtual machine A needs to send data to virtual machine B, virtual machine A writes the data into the memory corresponding to virtual machine A, and the security service node reads the data from the memory corresponding to virtual machine A, and sends the data The memory corresponding to the virtual machine B is rewritten, so that the data of the virtual machine A is sent to the virtual machine B.
  • the security service node needs to be able to clarify the protocol used when the virtual gateway encapsulates data in advance.
  • the security service node needs to customize and develop an application programming interface (API) interface that matches the memory of the virtual machine in advance.
  • API application programming interface
  • the security service node is usually provided by a third party, which leads to a large amount of pre-adaptation work for the security service node provided by the third party in both methods, which affects the flexibility of the above-mentioned data drainage process.
  • the embodiments of the present application provide a data diversion device and a data diversion method in a virtual network, which can improve the flexibility of data diversion.
  • a data diversion device in a virtual network includes a first virtual machine, a second virtual machine, a security service node, and a virtual switch; the first virtual machine, the second virtual machine, and the security service
  • the nodes are respectively connected to virtual switches; the virtual switches are used to forward the data transmitted between the first virtual machine and the second virtual machine to the security service node according to the flow table to instruct the security service node to process the first data, and the flow table uses It is used to instruct the routing rules of the virtual switch to transmit data.
  • the first virtual machine, the second virtual machine, and the security service node are respectively connected to the virtual switch, and the flow table is used to indicate the routing rules for the virtual switch to transmit data
  • the first virtual machine, the virtual switch and flow table created between the second virtual machine, the security service node, and the flow table can implement data diversion to the security service node.
  • the security service node there is no need to clarify in advance the protocol used by the virtual gateway to encapsulate data, and there is no need to customize and develop an API interface that matches the memory of the virtual machine in advance. Therefore, with the data drainage device provided by the embodiment of the present application, there is no need to perform a large amount of adaptation work on the security service node provided by a third party in advance, thereby improving the application flexibility of the data drainage device.
  • the virtual switch includes a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integrated bridge; the first virtual machine is connected to the first virtual machine bridge, and the second virtual machine is connected to the second virtual machine bridge.
  • the second virtual machine bridge connection, the security service node is connected with the security monitoring bridge module, the first virtual machine bridge, the second virtual machine bridge, and the security monitoring bridge module are respectively connected to the integrated bridge; the first virtual machine bridge
  • a paired pair of ports means that the data sent by one port is received by the other port and sent by the other port.
  • the data is received by a port, and the flow table is used to indicate the routing rules for transferring data within any one of the first virtual machine bridge, the second virtual machine bridge, the security monitoring bridge module, and the integrated bridge.
  • the security service node includes a first security virtual machine
  • the security monitoring bridge module includes a first security virtual machine bridge component
  • the first security virtual machine is connected to the first secure virtual machine bridge component
  • the first virtual machine network The bridge includes a first port and a second port.
  • the first secure virtual machine bridge component includes a third port and a fourth port; the first port and the third port on the first secure virtual machine bridge component are paired with each other.
  • the second port and the fourth port on the first secure virtual machine bridge component are a pair of ports that are paired with each other.
  • the security service node can include only one secure virtual machine, and the security monitoring bridge module also includes only one secure virtual machine bridge component. In this way, data can only be diverted to a secure virtual machine, which improves the data diversion The flexibility of the device.
  • the security service node includes N secure virtual machines
  • the security monitoring bridge module includes N secure virtual machine bridge components
  • N secure virtual machines correspond to N secure virtual machine bridge components one to one
  • N is a positive integer greater than or equal to 2
  • the first virtual machine bridge includes the first virtual machine bridge.
  • a port and a second port, each secure virtual machine bridge component includes a third port and a fourth port; the first port and the third port on the first secure virtual machine bridge component after sorting are paired with each other
  • a pair of ports, the second port and the fourth port on the last security virtual machine bridge component after sorting are a pair of ports that are paired with each other.
  • the security service node includes multiple security virtual machines
  • the security monitoring bridge module also includes multiple security virtual machine bridge components, so that data can be diverted to multiple security virtual machines to perform security monitoring separately, which improves The flexibility of the data drainage device.
  • the third port on the i-th secure virtual machine bridge component and the fourth port of the i-1th secure virtual machine bridge component are mutual Is a pair of ports, i is a positive integer greater than or equal to 2 and less than or equal to N.
  • the data can be transferred from the first secure virtual machine bridge component to the last secure virtual machine bridge component in turn, ensuring that the data can be returned to the first virtual machine network after passing through multiple secure virtual machines bridge.
  • any secure virtual machine bridge component further includes a fifth port and a sixth port, and the fifth port and sixth port on any secure virtual machine bridge component are used to connect to a secure virtual machine; flow table Used to indicate that the data sent by the third port on any secure virtual machine bridge component is sent by the fifth port on the same secure virtual machine bridge component, and the data sent by the fifth port on any secure virtual machine bridge component is sent by The third port of the bridge component of the same secure virtual machine is sent out; the flow table is also used to indicate that the data sent from the sixth port of any secure virtual machine bridge component is sent by the fourth port of the bridge component of the same secure virtual machine Out, the data sent by the fourth port on any secure virtual machine bridge component is sent out by the sixth port on the same secure virtual machine bridge component.
  • the first virtual machine bridge further includes a seventh port, which is connected to the first virtual machine, and the flow table is used to indicate that the data received by the seventh port is sent by the first port, and the first port receives The received data is sent out through the seventh port.
  • the first virtual machine bridge further includes an eighth port, and the integrated bridge includes a ninth port, and the eighth port is connected to the ninth port; the flow table is also used to indicate that the data received by the second port is The eighth port is sent out, and the data received by the eighth port is sent out by the ninth port.
  • the integrated bridge further includes a tenth port
  • the second virtual machine bridge also includes an eleventh port and a twelfth port, the tenth port and the eleventh port are connected, and the twelfth port is connected to the second virtual machine Connection
  • the flow table is also used to indicate that the data received by the ninth port is sent by the tenth port, and the data received by the tenth port is sent by the ninth port
  • the flow table is also used to indicate the data received by the eleventh port It is sent out by the twelfth port, and the data received by the twelfth port is sent out by the eleventh port.
  • the data received by the first virtual machine bridge can be sent to the second virtual machine bridge through the integrated bridge, or the data received by the second virtual machine bridge can be sent to the second virtual machine bridge through the integrated bridge.
  • a virtual machine bridge A virtual machine bridge.
  • any secure virtual machine bridge component includes a first secure virtual machine bridge and a second secure virtual machine bridge; a third port and a fifth port are deployed on the first secure virtual machine bridge, and the second secure A fourth port and a sixth port are deployed on the virtual machine bridge.
  • the transmission path of the data sent to the secure virtual machine and the transmission path of the data sent by the secure virtual machine can be implemented through different bridges, so that the SDN controller can make a flow table.
  • the virtual switch is created by a software-defined network SDN controller, and the flow table is delivered to the virtual switch by the SDN controller.
  • a data diversion method in a virtual network which is characterized in that it is applied to the data diversion device of any one of claims 1 to 11, and the method includes: the virtual switch receives the first data sent by the first virtual machine ; The virtual switch forwards the first data to the security service node according to the flow table to instruct the security service node to process the first data.
  • the flow table is used to indicate the routing rules for the virtual switch to transmit data; when the virtual switch receives the security service node to send The first data is sent to the second virtual machine according to the flow table.
  • the virtual switch includes a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integrated bridge; the virtual switch receives the first data sent by the first virtual machine, including: the first virtual machine
  • the network bridge receives the first data sent by the first virtual machine; accordingly, the virtual switch forwards the first data to the security service node according to the flow table to instruct the security service node to process the first data, including: the first virtual machine network
  • the bridge sends the first data to the safety monitoring bridge module according to the flow table;
  • the safety monitoring bridge module forwards the received first data to the safety service node according to the flow table to instruct the safety service node to process the first data; accordingly;
  • Ground when the virtual switch receives the first data sent by the security service node, it sends the first data to the second virtual machine according to the flow table, including: the security monitoring bridge module sends the first data sent by the security service node according to the flow table Send to the first virtual machine bridge; when the first virtual machine bridge receives the first data sent by the safety monitoring
  • the security service node includes a first security virtual machine
  • the security monitoring bridge module includes a first security virtual machine bridge component
  • the first virtual machine bridge sends the first data to the security monitoring bridge module according to the flow table, Including: when the first virtual machine bridge receives the first data sent by the first virtual machine, the first virtual machine bridge sends the first data through the first port; accordingly, the security monitoring bridge module receives the first data according to the flow table
  • the received first data is forwarded to the security service node for instructing the security service node to process the first data, including: the first security virtual machine bridge component receives the first data through the third port, and sends the first data to
  • the first port and the third port on the bridge component of the first secure virtual machine are a pair of ports that are paired with each other.
  • the security monitoring bridge module sends the first data sent by the security service node to the first virtual machine bridge according to the flow table, including: when the first secure virtual machine bridge component receives the data sent by the first secure virtual machine For the first data, the first secure virtual machine bridge component sends the first data through the fourth port;
  • the first virtual machine bridge receives the first data through the second port, and the second port and the fourth port on the first secure virtual machine bridge component are a pair of ports that are paired with each other.
  • the security service node includes N secure virtual machines
  • the security monitoring bridge module includes N secure virtual machine bridge components, and there is a one-to-one correspondence between N secure virtual machines and N secure virtual machine bridge components, N Is a positive integer greater than or equal to 2
  • the first virtual machine bridge sends the first data to the safety monitoring bridge module according to the flow table, including: when the first virtual machine bridge receives the first data sent by the first virtual machine When the first virtual machine bridge component sends the first data through the first port, the first secure virtual machine bridge component of the N secure virtual machine bridge components sorted in the reference order receives the first data through the third port, The first port and the third port on the first security virtual machine bridge component after sorting are a pair of ports; accordingly, the security monitoring bridge module forwards the received first data to The security service node instructs the security service node to process the first data, including: the first security virtual machine bridge component sends the first data to the corresponding security virtual machine to instruct the corresponding security virtual machine to process the first data , The first secure virtual machine bridge component receive
  • the security monitoring bridge module sends the first data sent by the security service node to the first virtual machine bridge according to the flow table, including: when the last security virtual machine bridge component after sorting receives the corresponding secure virtual machine When the first data is sent, the first data is sent through the fourth port; the first virtual machine bridge receives the first data through the second port, the second port and the first data on the last secure virtual machine bridge component after sorting
  • the four ports are a pair of ports paired with each other.
  • the method further includes: the virtual switch receives the second data sent by the second virtual machine for the first data; the virtual switch forwards the second data to the security service node according to the flow table to instruct the security service node to respond to the second data Perform processing; when the virtual switch receives the second data sent by the security service node, it sends the second data to the first virtual machine according to the flow table.
  • the virtual switch includes a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integrated bridge; the virtual switch receiving the second data sent by the second virtual machine for the first data includes:
  • the second virtual machine bridge receives the second data sent by the second virtual machine; accordingly, the virtual switch forwards the second data to the security service node according to the flow table to instruct the security service node to process the second data, including: The second virtual machine bridge sends the second data to the integrated bridge in the virtual switch according to the flow table; when the integrated bridge receives the second data, it sends the second data to the first virtual machine bridge according to the flow table; When a virtual machine bridge receives the second data sent by the integrated bridge, it sends the second data to the safety monitoring bridge module according to the flow table; the safety monitoring bridge module forwards the received second data to the safety monitoring bridge module according to the flow table
  • the security service node instructs the security service node to process the second data; accordingly, when the virtual switch receives the second data sent by the security service node, it sends the second data to the first virtual machine according to the flow table, including : The security monitoring bridge module sends the second data sent by the security service node to the first virtual machine bridge according to the flow table; when the first virtual
  • the security service node includes a first security virtual machine
  • the security monitoring bridge module includes a first security virtual machine bridge component
  • the table sending the second data to the security monitoring bridge module includes: when the first virtual machine bridge receives the second data sent by the integrated bridge, the first virtual machine bridge sends the second data through the second port;
  • the first secure virtual machine bridge component receives the second data through the fourth port, and the second port and the fourth port on the first secure virtual machine bridge component are a pair of ports that are paired with each other.
  • the security monitoring bridge module sends the second data sent by the security service node to the first virtual machine bridge according to the flow table, including: when the first secure virtual machine bridge component receives the data sent by the first secure virtual machine For the second data, the second data is sent through the third port in the first secure virtual machine bridge component; the first virtual machine bridge receives the second data through the first port.
  • the security service node includes N secure virtual machines
  • the security monitoring bridge module includes N secure virtual machine bridge components, and there is a one-to-one correspondence between N secure virtual machines and N secure virtual machine bridge components, N Is a positive integer greater than or equal to 2; when the first virtual machine bridge receives the second data sent by the integrated bridge, it sends the second data to the safety monitoring bridge module according to the flow table, including: when the first virtual machine When the network bridge receives the second data sent by the integrated network bridge, the first virtual machine bridge component sends the second data through the second port, and the last secure virtual machine network of the N secure virtual machine bridge components sorted in the reference order The bridge component receives the second data through the fourth port, and the second port and the fourth port on the last security virtual machine bridge component after sorting are a pair of ports that are paired with each other;
  • the security monitoring bridge module forwards the received second data to the security service node according to the flow table to instruct the security service node to process the second data, including:
  • the last secure virtual machine bridge component sends the second data to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the second data and return the second data to the last secure virtual machine bridge component.
  • a secure virtual machine bridge component sends the second data to the penultimate secure virtual machine bridge component after sorting;
  • the j-th secure virtual machine bridge component receives the second data sent by the j+1-th secure virtual machine bridge component, and sends the second data to the corresponding security Virtual machine to instruct the corresponding secure virtual machine to process the second data and return the second data to the j-th secure virtual machine bridge component, where j is a positive integer greater than or equal to 1 and less than or equal to N-1, and N
  • j is a positive integer greater than or equal to 1 and less than or equal to N-1
  • N After the secure virtual machine bridge components are sorted according to the reference order, there is a pair of ports that are paired with each other on every two adjacent secure virtual machine bridge components.
  • the security monitoring bridge module sends the second data sent by the security service node to the first virtual machine bridge according to the flow table, including: when the first sorted secure virtual machine bridge component receives the corresponding secure virtual When the second data is sent by the computer, the second data is sent through the third port; the first virtual machine bridge receives the second data through the first port, and the first port and the first secure virtual machine bridge component after sorting
  • the third port is a pair of ports that are paired with each other.
  • FIG. 1 is a schematic structural diagram of a host in a virtualized network provided by an embodiment of the present application
  • FIG. 2 is a schematic structural diagram of a data diversion device in a virtual network provided by an embodiment of the present application
  • FIG. 3 is a schematic structural diagram of another data drainage device provided by an embodiment of the present application.
  • FIG. 4 is a schematic diagram of another data drainage device provided by an embodiment of the present application.
  • FIG. 5 is a flowchart of a data diversion method in a virtual network provided by an embodiment of the present application
  • Fig. 6 is a flowchart of another data diversion method in a virtual network provided by an embodiment of the present application.
  • IPS intrusion prevention system
  • IDS intrusion detection system
  • Fig. 1 is a schematic structural diagram of a host in a virtualized network provided by an embodiment of the present application.
  • an operating system 101 is installed in the host 100, and multiple virtual machines are running on the operating system 101, and data can be transmitted between each virtual machine.
  • the data diversion device and data diversion method provided in the embodiments of the present application can be applied between two virtual machines located on the same host, and can also be applied between two virtual machines located on different hosts.
  • FIG. 2 is a schematic structural diagram of a data diversion device in a virtual network provided by an embodiment of the present application.
  • the data diversion device 200 includes a first virtual machine 201, a second virtual machine 202, a security service node 203 and a virtual switch 204.
  • the first virtual machine 201, the second virtual machine 202, and the security service node 203 are respectively connected to the virtual switch 204.
  • the virtual switch 204 is used to forward the data transmitted between the first virtual machine 201 and the second virtual machine 202 to the security service node 203 according to the flow table, so as to instruct the security service node 203 to process the first data, and the flow table uses It indicates the routing rules for the virtual switch 204 to transmit data.
  • the first virtual machine, the second virtual machine, and the security service node are respectively connected to the virtual switch, and the flow table is used to indicate the routing rules for the virtual switch to transmit data
  • the first virtual machine, the virtual switch and flow table created between the second virtual machine, the security service node, and the flow table can implement data diversion to the security service node.
  • the security service node there is no need to specify the protocol used by the virtual gateway to encapsulate data in advance, and there is no need to customize and develop an API interface that matches the memory of the virtual machine in advance. Therefore, with the data drainage device provided by the embodiment of the present application, there is no need to perform a large amount of adaptation work on the security service node provided by a third party in advance, thereby improving the application flexibility of the data drainage device.
  • the virtual switch 204 may be created by a software defined network (software define network, SDN) controller. Of course, the virtual switch 204 can also be created by other types of network controllers, which will not be illustrated one by one here.
  • the flow table may be issued to the virtual switch 204 by the SDN controller.
  • the flow table may specifically be a flow table based on openflow (an online communication protocol).
  • the virtual switch 204 includes a first virtual machine bridge 2041, a second virtual machine bridge 2042, a security monitoring bridge module 2043, and an integrated network bridge 2044.
  • the first virtual machine 201 is connected to the first virtual machine bridge 2041.
  • the second virtual machine 202 is connected to the second virtual machine bridge 2042.
  • the security service node 203 is connected to the security monitoring bridge module 2043.
  • the first virtual machine bridge 2041, the second virtual machine bridge 2042, and the security monitoring bridge module 2043 are respectively connected to the integrated bridge 2044.
  • the first virtual machine bridge 2041, the second virtual machine bridge 2042, the security monitoring bridge module 2043, and the integrated bridge 2044 can all be created by the SDN controller.
  • One or more pairs of ports that are paired with each other can be created between the security monitoring bridge module 2043 and other bridges.
  • a pair of ports that are paired with each other means that the data sent by one port is received by the other port, and the data sent by the other port is received by one port.
  • the flow table is used to indicate any one of the first virtual machine bridge 2041, the second virtual machine bridge 2042, the security monitoring bridge module 2043, and the integrated bridge 2044. Routing rules for internal data transfer. Therefore, in the embodiment of the present application, data can be drained to the security service node through the flow table and the created one or more pairs of ports that are paired with each other.
  • the virtual switch 204 may have the following two possible structures:
  • the first virtual machine bridge 2041 can divert data to the safety monitoring bridge module 2043 through a pair of ports that are paired with each other.
  • the safety monitoring bridge module 2043 receives the data feedback from the safety service node 203, it can The data is returned to the first virtual machine bridge 2041 through another pair of mutually paired ports to send the data to the second virtual machine through the first virtual machine bridge 2041, the integrated bridge 2044, and the second virtual machine bridge 2042 ⁇ 202.
  • the data between the first virtual machine 201 and the second virtual machine 202 passes through the first virtual bridge 2041.
  • the second virtual bridge 2042 and the integrated bridge 2044 are transmitted.
  • the data transmission path to the second virtual machine 202 is the first virtual bridge 2041 ⁇ the integrated bridge 2044 ⁇ the second virtual bridge 2042. Therefore, data diversion through the above-mentioned first possible structure can be compatible with the original data transmission path between virtual machines, avoid too much modification of the flow table, thereby improving the application flexibility of the data diversion device.
  • the second possible structure can create a pair of ports on the first virtual machine bridge 2041 and the security monitoring bridge module 2043, and create a pair of ports on the security monitoring bridge module 2043 and the second virtual machine bridge 2042. It is another pair of ports that are paired with each other.
  • the first virtual machine bridge 2041 can divert data to the safety monitoring bridge module 2043.
  • the safety monitoring bridge module 2043 receives the data fed back from the safety service node 203, it can send the data to the second virtual machine bridge 2042, to realize sending data to the second virtual machine 202.
  • a large number of modifications to the existing flow table are required, which is not conducive to the promotion of the data drainage device.
  • the security service node may include a security virtual machine to perform security monitoring on data through the security virtual machine.
  • the security service node may include multiple security virtual machines to perform security monitoring on data through each of the multiple security virtual machines. Therefore, for the first possible structure described above, the data drainage device shown in FIG. 2 may specifically have the following two structures.
  • Fig. 3 is a schematic structural diagram of another data drainage device provided by an embodiment of the present application.
  • the security service node 203 includes a first secure virtual machine 2031
  • the security monitoring bridge module 2043 includes a first secure virtual machine bridge component 20431, a first secure virtual machine 2031 and a first secure virtual machine bridge component 20431 connection
  • the first virtual machine bridge 2031 includes a first port and a second port
  • the first secure virtual machine bridge component 20431 includes a third port and a fourth port.
  • the first port and the third port on the first secure virtual machine bridge component 20431 are a pair of ports that are paired with each other
  • the second port and the fourth port on the first secure virtual machine bridge component 20431 are mutually complementary. Paired pair of ports.
  • the security service node only includes a secure virtual machine
  • the security monitoring bridge module also includes only a secure virtual machine bridge component, so that only a secure virtual machine bridge component is needed.
  • the virtual machine is fine.
  • Fig. 4 is a schematic diagram of another data drainage device provided by an embodiment of the present application.
  • the security service node 203 includes N security virtual machines 2032.
  • the security monitoring bridge module 2043 includes N security virtual machine bridge components 20432.
  • N secure virtual machine bridge components 20432 are sorted according to the reference order, there is a pair of ports that are paired with each other on every two adjacent secure virtual machine bridge components 20432.
  • N is a positive integer greater than or equal to 2
  • the first virtual machine bridge 2041 includes a first port and a second port.
  • Each secure virtual machine bridge component 20432 includes a third port and a fourth port.
  • the first port and the third port on the first secured virtual machine bridge component 20432 after sorting are a pair of ports that are paired with each other.
  • the second port and the fourth port on the last secure virtual machine bridge component 20432 after sorting are a pair of ports that are paired with each other.
  • the first virtual machine bridge 2041 can send data to the sorted first port.
  • the first secure virtual machine bridge component 20432 since the N secure virtual machine bridge components 20432 are sorted according to the reference order, there is a pair of ports on each two adjacent secure virtual machine bridge components 20432, so the data can be transferred from the first secure The virtual machine bridge component 20432 is transmitted to the last secure virtual machine bridge component 20432.
  • the second port and the fourth port on the last secure virtual machine bridge component 20432 after sorting are a pair of ports that are paired with each other, after passing through all the secure virtual machines 2032, the data can also be returned to The first virtual machine bridge 2041.
  • the security service node 203 includes multiple security virtual machines 2032, and the security monitoring bridge module 2043 also includes multiple security virtual machine bridge components 20432, so that data can be drained To multiple security virtual machines 2032 to perform security monitoring separately, which improves the flexibility of the data drainage device.
  • N is 2 for illustration.
  • the number of secure virtual machines 2032 and the number of secure virtual machine bridge components 20432 in FIG. 4 do not constitute a specific limitation on N.
  • the third port on the i-th secure virtual machine bridge component 20432 and the fourth port on the i-1th secure virtual machine bridge component 20432 Ports are a pair of ports that are paired with each other, and i is a positive integer greater than or equal to 2 and less than or equal to N.
  • the third port on the second secure virtual machine bridge component 20432 and the fourth port on the first secure virtual machine bridge component 20432 are a pair of ports that are paired with each other.
  • the secure virtual machine bridge component further includes a fifth port and a sixth port, and the fifth port on the secure virtual machine bridge component The port and the sixth port are used to connect to a secure virtual machine.
  • the flow table is used to indicate that the data sent by the third port on any secure virtual machine bridge component is sent from the fifth port on the same secure virtual machine bridge component, and the fifth port on any secure virtual machine bridge component
  • the data sent by the port is sent out by the third port located in the same secure virtual machine bridge component.
  • the flow table is also used to indicate that the data sent from the sixth port on any secure virtual machine bridge component is sent from the fourth port on the same secure virtual machine bridge component, and the fourth port on any secure virtual machine bridge component is sent The data of is sent out from the sixth port of the bridge component of the same secure virtual machine.
  • the first virtual machine bridge further includes a seventh port, which is connected to the first virtual machine.
  • the flow table is used to indicate that the data received by the seventh port is sent by the first port, and the data received by the first port is sent by the seventh port.
  • the first virtual machine bridge further includes an eighth port
  • the integrated bridge includes a ninth port
  • the eighth port is connected to the ninth port.
  • the flow table is also used to indicate that the data received by the second port is sent by the eighth port, and the data received by the eighth port is sent by the ninth port.
  • the above-mentioned integrated bridge further includes a tenth port
  • the second virtual machine bridge also includes an eleventh port and a twelfth port
  • the tenth port is connected to the eleventh port
  • the twelfth port is connected to the second virtual machine. ⁇ Machine connection.
  • the flow table is also used to indicate that the data received by the ninth port is sent by the tenth port, and the data received by the tenth port is sent by the ninth port.
  • the flow table is also used to indicate that the data received by the eleventh port is sent by the twelfth port, and the data received by the twelfth port is sent by the eleventh port.
  • the data received by the first virtual machine bridge can be sent to the second virtual machine bridge through the integrated bridge, or the data received by the second virtual machine bridge can be sent to the second virtual machine bridge through the integrated bridge.
  • a virtual machine bridge can be sent to the second virtual machine bridge through the integrated bridge.
  • the security The virtual machine bridge component may include a first secure virtual machine bridge and a second secure virtual machine bridge.
  • the first secure virtual machine bridge is deployed with the third port and the fifth port in FIG. 3 or FIG. 4.
  • the fourth port and the sixth port in FIG. 3 or FIG. 4 are deployed on the second secure virtual machine bridge.
  • the types of the first virtual machine bridge, the first secure virtual machine bridge, the second secure virtual machine bridge, and the second virtual machine bridge may be liniux (an operating system) bridge.
  • this type of bridge can be named Br-ply bridge, of course, other names can be named.
  • the type of integrated network bridge may be an open virtual machine switch (open virtual switch, OVS) bridge.
  • OVS open virtual switch
  • the first secure virtual machine bridge or the second secure virtual machine bridge is also connected to the integrated bridge through a port, which will not be described here.
  • the first virtual machine, the second virtual machine, and the secure virtual machine may be virtual machines on the same host or virtual machines on different hosts.
  • the first virtual machine and the second virtual machine need to communicate data
  • the first virtual machine, the second virtual machine, and the secure virtual machine need to be deployed on the same host.
  • the first virtual machine only needs to send data to the second virtual machine in one direction
  • the second virtual machine only needs to send data to the first virtual machine in one direction, it is only necessary to restrict the second virtual machine and the secure virtual machine to be located on the same host.
  • the data diversion method in the virtual network provided by the embodiment of the present application will be described in detail.
  • the first data can be drained through the above-mentioned data draining device.
  • the second virtual machine feeds back the second data to the first virtual machine based on the first data
  • the second data can be transmitted according to the first data.
  • the path opposite to the path is transmitted, so as to realize the drainage of the second data.
  • FIG. 5 is a flowchart of a data diversion method in a virtual network provided by an embodiment of the present application, which is applied to the data diversion device shown in the embodiments of FIGS. 2 to 4. As shown in Figure 5, the method includes the following steps:
  • Step 501 The virtual switch receives the first data sent by the first virtual machine.
  • step 501 may be: the first virtual machine bridge receives the first data sent by the first virtual machine. Specifically, as shown in FIG. 3 or FIG. 4, the seventh port of the first virtual machine bridge receives the first data.
  • Step 502 The virtual switch forwards the first data to the security service node according to the flow table, so as to instruct the security service node to process the first data.
  • the flow table is used to indicate routing rules for the virtual switch to transmit data.
  • step 502 may specifically be: the first virtual machine bridge sends the first data to the safety monitoring bridge module according to the flow table; the safety monitoring bridge module forwards the received first data to the safety monitoring bridge module according to the flow table
  • the security service node instructs the security service node to process the first data.
  • the security monitoring bridge module when the security service node includes the first secure virtual machine and the security monitoring bridge module includes the first secure virtual machine bridge component, the first virtual machine bridge sends the first data to the
  • the security monitoring bridge module may be implemented as follows: when the first virtual machine bridge receives the first data sent by the first virtual machine, the first virtual machine bridge sends the first data through the first port.
  • the security monitoring bridge module forwards the received first data to the security service node according to the flow table, and is used to instruct the security service node to process the first data.
  • the implementation manner may be: the first security virtual machine bridge component The first data is received through the third port, and the first data is sent to the first secure virtual machine.
  • the first virtual machine bridge sends the first data to
  • the security monitoring bridge module can be implemented as follows: when the first virtual machine bridge receives the first data sent by the first virtual machine, the first virtual machine bridge component sends the first data through the first port, and N The first secure virtual machine bridge component sorted according to the reference order receives the first data through the third port.
  • the security monitoring bridge module forwards the received first data to the security service node according to the flow table to instruct the security service node to process the first data.
  • the implementation manner may be: the first security virtual machine bridge component
  • the first data is sent to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the first data.
  • the first secure virtual machine bridge component receives the first data sent by the corresponding secure virtual machine.
  • the machine bridge component sends the first data to the second secure virtual machine; for the i-th secure virtual machine bridge component after sorting, the i-th secure virtual machine bridge component receives the i-1th secure virtual machine network
  • the first data sent by the bridge component and the first data is sent to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the first data and return the first data to the i-th secure virtual machine bridge component
  • i is a positive integer greater than or equal to 2 and less than or equal to N.
  • any secure virtual machine bridge component in the safety monitoring bridge module when the secure virtual machine bridge component receives the first data through the third port At this time, the first data needs to be sent to the secure virtual machine connected to it.
  • the first data can be sent through the fifth port in the secure virtual machine bridge component, The first data is sent to the secure virtual machine corresponding to the secure virtual machine bridge component.
  • the secure virtual machine may process the first data. And return the first data to the secure virtual machine bridge component.
  • the secure virtual machine bridge component receives the first data sent by the corresponding secure virtual machine through the sixth port, and passes through the secure virtual machine bridge component according to the routing rules indicated in the flow table.
  • the fourth port of the sender sends the first data to send the first data to the next secure virtual machine bridge component or the first virtual machine bridge.
  • Step 503 When the virtual switch receives the first data sent by the security service node, it sends the first data to the second virtual machine according to the flow table.
  • step 503 may specifically be: the security monitoring bridge module sends the first data sent by the security service node to the first virtual machine bridge according to the flow table;
  • the security monitoring bridge module sends the first data sent by the security service node to the first virtual machine bridge according to the flow table;
  • the machine network bridge receives the first data sent by the safety monitoring bridge module, it sends the first data to the integrated network bridge according to the flow table;
  • the integrated network bridge receives the first data, it sends the first data according to the flow table
  • the second virtual machine bridge sends the first data to the second virtual machine according to the flow table.
  • the security monitoring bridge module when the security service node includes the first security virtual machine and the security monitoring bridge module includes the first security virtual machine bridge component, the security monitoring bridge module sends the security service node according to the flow table.
  • the implementation of sending the first data to the first virtual machine bridge may be: when the first secure virtual machine bridge component receives the first data sent by the first secure virtual machine, the first secure virtual machine bridge component passes through the The four ports send the first data; the first virtual machine bridge receives the first data through the second port.
  • the security monitoring bridge module sends the first data sent by the security service node according to the flow table
  • the implementation of the bridge to the first virtual machine may be: when the last sorted secure virtual machine bridge component receives the first data sent by the corresponding secure virtual machine, the first data is sent through the fourth port; first The virtual machine bridge receives the first data through the second port.
  • the implementation manner of sending the first data to the integrated bridge according to the flow table may be: When the first virtual machine bridge receives the first data sent by the security monitoring bridge module, the first virtual machine bridge sends the first data through the eighth port; the integrated network bridge receives the first data through the ninth port.
  • the integrated bridge when the integrated bridge receives the first data, it sends the first data to the second virtual machine bridge according to the flow table, and the second virtual machine bridge sends the first data according to the flow table.
  • One way of sending data to the second virtual machine can be: the integrated bridge sends the first data through the tenth port; the second virtual machine bridge receives the first data through the eleventh port, and sends the first data through the twelfth port. A data to send the first data to the second virtual machine.
  • Fig. 6 is a flowchart of another method for data diversion in a virtual network provided by an embodiment of the present application, which is applied to the data diversion apparatus shown in the embodiments of Figs. 2 to 4. As shown in Figure 6, the method includes the following steps:
  • Step 601 The virtual switch receives the second data sent by the second virtual machine for the first data.
  • the virtual machine switch includes a second virtual machine bridge.
  • the second virtual machine is connected to the second virtual machine by a bridge. Therefore, in a possible implementation manner, step 601 may specifically be: the second virtual machine bridge receives the second data sent by the second virtual machine. Specifically, as shown in FIG. 3 or FIG. 4, the twelfth port of the second virtual machine bridge receives the second data.
  • Step 602 The virtual switch forwards the second data to the security service node according to the flow table to instruct the security service node to process the second data.
  • the virtual switch forwards the second data to the security service node according to the flow table to instruct the security service node to process the second data.
  • the implementation manner may be: the second virtual machine bridge transfers the second data according to the flow table. The data is sent to the integrated bridge in the virtual switch; when the integrated bridge receives the second data, it sends the second data to the first virtual machine bridge according to the flow table; the first virtual machine bridge receives the integrated bridge When the second data is sent, the second data is sent to the safety monitoring bridge module according to the flow table; the safety monitoring bridge module forwards the received second data to the safety service node according to the flow table to indicate that the safety service node is The second data is processed.
  • the security service node includes the first security virtual machine and the security monitoring bridge module includes the first security virtual machine bridge component
  • the first virtual machine bridge receives the information sent by the integrated bridge.
  • the implementation manner of sending the second data to the safety monitoring bridge module according to the flow table may be: when the first virtual machine bridge receives the second data sent by the integrated bridge, the first virtual machine network The bridge sends the second data through the second port; the first secure virtual machine bridge component receives the second data through the fourth port.
  • the first virtual machine bridge receives the information sent by the integrated bridge.
  • the implementation of sending the second data to the safety monitoring bridge module according to the flow table may be: when the first virtual machine bridge receives the second data sent by the integrated bridge, the first virtual machine bridge The component sends the second data through the second port, and the last secure virtual machine bridge component sorted by the N secure virtual machine bridge components in the reference order receives the second data through the fourth port.
  • the security monitoring bridge module forwards the received second data to the security service node according to the flow table, so as to instruct the security service node to process the second data.
  • the implementation manner may be: the last security virtual machine bridge component Send the second data to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the second data, and return the second data to the last secure virtual machine bridge component, and the last secure virtual machine bridge component will The second data is sent to the penultimate secure virtual machine bridge component after sorting; for the j-th secure virtual machine bridge component after sorting, the j-th secure virtual machine bridge component receives the j+1-th secure virtual machine The second data sent by the machine network bridge component and the second data is sent to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the second data and return the second data to the j-th secure virtual machine bridge Component, j is a positive integer greater than or equal to 1 and less than or equal to N-1.
  • Step 603 When the virtual switch receives the second data sent by the security service node, it sends the second data to the first virtual machine according to the flow table.
  • step 603 may specifically be: the security monitoring bridge module sends the second data sent by the security service node to the first virtual machine bridge according to the flow table; when the first virtual machine bridge receives the security monitoring network When the bridge module sends the second data, the second data is sent to the first virtual machine according to the flow table.
  • the security monitoring bridge module when the security service node includes the first security virtual machine and the security monitoring bridge module includes the first security virtual machine bridge component, the security monitoring bridge module sends the security service node according to the flow table.
  • the second data sent to the first virtual machine bridge may be implemented as follows: when the first secure virtual machine bridge component receives the second data sent by the first secure virtual machine, through the first secure virtual machine bridge component The third port sends the second data; the first virtual machine bridge receives the second data through the first port.
  • the security monitoring bridge module when the security service node includes N security virtual machines and the security monitoring bridge module includes N security virtual machine bridge components, the security monitoring bridge module sends the second data sent by the security service node according to the flow table
  • the sending to the first virtual machine bridge may be implemented as follows: when the first sorted secure virtual machine bridge component receives the second data sent by the corresponding secure virtual machine, the second data is sent through the third port; The first virtual machine bridge receives the second data through the first port.
  • the secure virtual machine bridge component when the secure virtual machine bridge component receives the second data through the fourth port, the sixth port in the secure virtual machine bridge component sends second data to send the second data to the secure virtual machine connected to the secure virtual machine bridge component.
  • the secure virtual machine bridge component receives the second data sent by the connected secure virtual machine through the fifth port, the first data can be sent through the third port in the secure virtual machine bridge component.
  • the second virtual machine bridge may send the second data to the integrated bridge in the virtual switch according to the flow table in an implementation manner: the second virtual machine bridge passes through the eleventh port Send the second data; the integrated bridge receives the second data through the tenth port.
  • the integrated network bridge when the integrated network bridge receives the second data, it sends the second data to the first virtual machine bridge in the virtual switch according to the flow table.
  • the nine port sends the second data; the first virtual machine bridge receives the second data through the eighth port.

Abstract

A data flow guiding apparatus and a data flow guiding method in a virtual network, relating to the technical field of virtual networks. In the data flow guiding apparatus, a first virtual machine, a second virtual machine, and a security service node are respectively connected to a virtual switch, and a flow table is used for indicating routing rules for the virtual switch to transmit data. When performing flow guiding by means of the data flow guiding apparatus, during the entire data flow guiding process, there is no need to package data by means of a virtual machine network gateway, and the virtual machines do not need to implement data flow guiding by means of a memory transfer method. Thus, for the security service node, there is also no need to pre-clarify the protocol used by a virtual network gateway to package the data and there is no need to pre-customise and develop an API interface matching memories of the virtual machines; correspondingly, there is no need to perform a large amount of adaptation for security service nodes provided by a third party, thereby increasing the application flexibility of the data flow guiding apparatus.

Description

虚拟网络中的数据引流装置及数据引流方法Data drainage device and data drainage method in virtual network 技术领域Technical field
本申请涉及虚拟网络技术领域,特别涉及一种虚拟网络中的数据引流装置及数据引流方法。This application relates to the technical field of virtual networks, and in particular to a data diversion device and a data diversion method in a virtual network.
背景技术Background technique
在云场景等虚拟化网络中,两个虚拟机(virtual machine,VM)之间可以相互发送数据,以进行通信。并且,一个虚拟机在向另一个虚拟机发送数据的过程中,该数据在传递至另一个虚拟机之前,通常被引流至安全服务节点,由安全服务节点对该数据进行处理,以监测两个虚拟机之间的通信的安全性,并由安全服务节点将该数据转发至另一个虚拟机。In a virtualized network such as a cloud scene, two virtual machines (virtual machines, VMs) can send data to each other for communication. In addition, when a virtual machine sends data to another virtual machine, the data is usually diverted to the security service node before being transferred to the other virtual machine, and the security service node processes the data to monitor the two The security of communication between virtual machines, and the security service node forwards the data to another virtual machine.
相关技术中可以通过虚拟网关的方式将数据引流至安全服务节点。具体地,当虚拟机A需要向虚拟机B发送数据时,虚拟机A先将数据发送至虚拟机A所在的虚拟局域网(virtual extensible LAN,VxLAN)的虚拟网关A,由虚拟网关A对该数据进行封装,封装之后的数据中携带的目的地址为安全服务节点的地址。当安全服务节点接收到封装之后的数据时,进行解封之后得到该数据,以便后续对该数据进行处理。另外,安全服务节点在解封得到该数据之后,重新对该数据进行封装,封装之后的数据中携带的目的地址为虚拟机B所在的虚拟局域网中的虚拟网关B的地址,由虚拟网关B最终将该数据发送至虚拟机B。In the related technology, data can be diverted to the security service node through a virtual gateway. Specifically, when virtual machine A needs to send data to virtual machine B, virtual machine A first sends the data to virtual gateway A of the virtual local area network (virtual extensible LAN, VxLAN) where virtual machine A is located. Encapsulation is performed, and the destination address carried in the encapsulated data is the address of the security service node. When the security service node receives the encapsulated data, the data is obtained after decapsulation, so that the data can be subsequently processed. In addition, the security service node re-encapsulates the data after decapsulating the data. The destination address carried in the encapsulated data is the address of virtual gateway B in the virtual local area network where virtual machine B is located, and virtual gateway B finally Send the data to virtual machine B.
相关技术中还可以通过内存传递的方式将数据引流至安全服务节点。具体地,当虚拟机A需要向虚拟机B发送数据时,虚拟机A将数据写入虚拟机A对应的内存,安全服务节点从虚拟机A对应的内存中读取该数据,并将该数据重新写入虚拟机B对应的内存,以实现将虚拟机A的数据发送至虚拟机B。In the related technology, data can also be channeled to the security service node by means of memory transfer. Specifically, when virtual machine A needs to send data to virtual machine B, virtual machine A writes the data into the memory corresponding to virtual machine A, and the security service node reads the data from the memory corresponding to virtual machine A, and sends the data The memory corresponding to the virtual machine B is rewritten, so that the data of the virtual machine A is sent to the virtual machine B.
对于上述通过虚拟网关的方式,需要安全服务节点能够提前明确虚拟网关封装数据时采用的协议。对于上述通过内存传递的方式,需要安全服务节点预先定制开发与虚拟机的内存匹配的应用程序编程接口(application programming interface,API)接口。而安全服务节点通常由第三方提供,导致这两种方式中均需要对第三方提供的安全服务节点预先进行大量的适配工作,影响了上述数据引流过程的灵活性。For the above-mentioned method through the virtual gateway, the security service node needs to be able to clarify the protocol used when the virtual gateway encapsulates data in advance. For the foregoing memory transfer method, the security service node needs to customize and develop an application programming interface (API) interface that matches the memory of the virtual machine in advance. The security service node is usually provided by a third party, which leads to a large amount of pre-adaptation work for the security service node provided by the third party in both methods, which affects the flexibility of the above-mentioned data drainage process.
发明内容Summary of the invention
本申请实施例提供了一种虚拟网络中的数据引流装置及数据引流方法,可以提高数据引流的灵活性。The embodiments of the present application provide a data diversion device and a data diversion method in a virtual network, which can improve the flexibility of data diversion.
第一方面,提供了一种虚拟网络中的数据引流装置,该数据引流装置包括第一虚拟机、第二虚拟机、安全服务节点和虚拟交换机;第一虚拟机、第二虚拟机、安全服务节点分别与虚拟交换机连接;虚拟交换机用于根据流表将第一虚拟机和第二虚拟机之间传输的数据转发至安全服务节点,以指示安全服务节点对第一数据进行处理,流表用于指示虚拟交换机传输数据的路由规则。In a first aspect, a data diversion device in a virtual network is provided. The data diversion device includes a first virtual machine, a second virtual machine, a security service node, and a virtual switch; the first virtual machine, the second virtual machine, and the security service The nodes are respectively connected to virtual switches; the virtual switches are used to forward the data transmitted between the first virtual machine and the second virtual machine to the security service node according to the flow table to instruct the security service node to process the first data, and the flow table uses It is used to instruct the routing rules of the virtual switch to transmit data.
由于第一虚拟机、第二虚拟机、安全服务节点分别与虚拟交换机连接,而流表用于指示虚拟交换机传输数据的路由规则,因此,在本申请实施例中,通过在第一虚拟机、第二虚拟机、安全服务节点之间创建的虚拟交换机以及流表即可实现将数据引流至安全服务节点。整个数据引流过程中无需通过虚拟机网关对数据进行封装,也无需虚拟机通过内存传递的方式进行数据引流。这样对于安全服务节点而言,也就无需预先明确虚拟网关封装数据采用的协议,也无需预先定制开发与虚拟机的内存匹配的API接口。因此,通过本申请实施例提供的数据引流装置,无需对第三方提供的安全服务节点预先进行大量的适配工作,从而提高了数据引流装置的应用灵活性。Since the first virtual machine, the second virtual machine, and the security service node are respectively connected to the virtual switch, and the flow table is used to indicate the routing rules for the virtual switch to transmit data, in the embodiment of the present application, the first virtual machine, The virtual switch and flow table created between the second virtual machine, the security service node, and the flow table can implement data diversion to the security service node. There is no need to encapsulate the data through the virtual machine gateway during the entire data flow process, and there is no need for the virtual machine to conduct data flow through memory transfer. In this way, for the security service node, there is no need to clarify in advance the protocol used by the virtual gateway to encapsulate data, and there is no need to customize and develop an API interface that matches the memory of the virtual machine in advance. Therefore, with the data drainage device provided by the embodiment of the present application, there is no need to perform a large amount of adaptation work on the security service node provided by a third party in advance, thereby improving the application flexibility of the data drainage device.
可选地,虚拟交换机包括第一虚拟机网桥、第二虚拟机网桥、安全监测网桥模块和集成网桥;第一虚拟机和第一虚拟机网桥连接,第二虚拟机和第二虚拟机网桥连接,安全服务节点与安全监测网桥模块连接,第一虚拟机网桥、第二虚拟机网桥、安全监测网桥模块分别与集成网桥连接;第一虚拟机网桥和安全监测网桥模块上存在互为配对(英文名称:peer)的一对或多对端口,互为配对的一对端口是指一个端口发出的数据由另一个端口接收、另一端口发送的数据由一个端口接收,流表用于指示在第一虚拟机网桥、第二虚拟机网桥、安全监测网桥模块和集成网桥中任一个的内部传递数据的路由规则。Optionally, the virtual switch includes a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integrated bridge; the first virtual machine is connected to the first virtual machine bridge, and the second virtual machine is connected to the second virtual machine bridge. The second virtual machine bridge connection, the security service node is connected with the security monitoring bridge module, the first virtual machine bridge, the second virtual machine bridge, and the security monitoring bridge module are respectively connected to the integrated bridge; the first virtual machine bridge There are one or more pairs of ports that are paired with each other (English name: peer) on the security monitoring bridge module. A paired pair of ports means that the data sent by one port is received by the other port and sent by the other port. The data is received by a port, and the flow table is used to indicate the routing rules for transferring data within any one of the first virtual machine bridge, the second virtual machine bridge, the security monitoring bridge module, and the integrated bridge.
在本申请实施例中,为了使得安全监测网桥模块与其他网桥之间可以相互通信,以实现将数据引流至安全服务节点。可以在安全监测网桥模块与其他网桥之间创建互为配对的一对或多对端口。因此,通过流表和创建的互为配对的一对或多对端口即可实现将数据引流至安全服务节点。In the embodiment of the present application, in order to enable the safety monitoring bridge module and other bridges to communicate with each other, so as to realize data diversion to the safety service node. One or more pairs of ports that are paired with each other can be created between the security monitoring bridge module and other bridges. Therefore, data can be drained to the security service node through the flow table and the created one or more pairs of ports that are paired with each other.
可选地,安全服务节点包括第一安全虚拟机,安全监测网桥模块包括第一安全虚拟机网桥组件,第一安全虚拟机和第一安全虚拟机网桥组件连接,第一虚拟机网桥包括第一端口和第二端口,第一安全虚拟机网桥组件包括第三端口和第四端口;第一端口和第一安全虚拟机网桥组件上的第三端口是互为配对的一对端口,第二端口和第一安全虚拟机网桥组件上的第四端口是互为配对的一对端口。Optionally, the security service node includes a first security virtual machine, the security monitoring bridge module includes a first security virtual machine bridge component, the first security virtual machine is connected to the first secure virtual machine bridge component, and the first virtual machine network The bridge includes a first port and a second port. The first secure virtual machine bridge component includes a third port and a fourth port; the first port and the third port on the first secure virtual machine bridge component are paired with each other. For ports, the second port and the fourth port on the first secure virtual machine bridge component are a pair of ports that are paired with each other.
基于上述结构,安全服务节点可以只包括一个安全虚拟机,安全监测网桥模块也只包括一个安全虚拟机网桥组件,这样只需将数据引流至一个安全虚拟机即可,提高了该数据引流装置的灵活性。Based on the above structure, the security service node can include only one secure virtual machine, and the security monitoring bridge module also includes only one secure virtual machine bridge component. In this way, data can only be diverted to a secure virtual machine, which improves the data diversion The flexibility of the device.
可选地,安全服务节点包括N个安全虚拟机,安全监测网桥模块包括N个安全虚拟机网桥组件,N个安全虚拟机和N个安全虚拟机网桥组件一一对应,N个安全虚拟机网桥组件按照参考顺序排序之后每相邻的两个安全虚拟机网桥组件上存在互为配对的一对端口,N为大于或等于2的正整数,第一虚拟机网桥包括第一端口和第二端口,每个安全虚拟机网桥组件包括第三端口和第四端口;第一端口和排序之后的第一个安全虚拟机网桥组件上的第三端口是互为配对的一对端口,第二端口和排序之后的最后一个安全虚拟机网桥组件上的第四端口是互为配对的一对端口。Optionally, the security service node includes N secure virtual machines, the security monitoring bridge module includes N secure virtual machine bridge components, and N secure virtual machines correspond to N secure virtual machine bridge components one to one, and N secure After the virtual machine bridge components are sorted according to the reference order, there is a pair of ports on each two adjacent secure virtual machine bridge components. N is a positive integer greater than or equal to 2, and the first virtual machine bridge includes the first virtual machine bridge. A port and a second port, each secure virtual machine bridge component includes a third port and a fourth port; the first port and the third port on the first secure virtual machine bridge component after sorting are paired with each other A pair of ports, the second port and the fourth port on the last security virtual machine bridge component after sorting are a pair of ports that are paired with each other.
基于上述结构,安全服务节点包括多个安全虚拟机,安全监测网桥模块也包括多个安全虚拟机网桥组件,这样可以将数据引流至多个安全虚拟机,以分别进行安全监测,提高了该数据引流装置的灵活性。Based on the above structure, the security service node includes multiple security virtual machines, and the security monitoring bridge module also includes multiple security virtual machine bridge components, so that data can be diverted to multiple security virtual machines to perform security monitoring separately, which improves The flexibility of the data drainage device.
可选地,对于排序之后的第i个安全虚拟机网桥组件,第i个安全虚拟机网桥组件上的第三端口与第i-1个安全虚拟机网桥组件的第四端口是互为配对的一对端口,i为大 于等于2且小于等于N的正整数。Optionally, for the i-th secure virtual machine bridge component after sorting, the third port on the i-th secure virtual machine bridge component and the fourth port of the i-1th secure virtual machine bridge component are mutual Is a pair of ports, i is a positive integer greater than or equal to 2 and less than or equal to N.
基于上述结果,可以依次将数据从第一个安全虚拟机网桥组件传输至最后一个安全虚拟机网桥组件,保证了数据在及鞥过多个安全虚拟机之后可以返回至第一虚拟机网桥。Based on the above results, the data can be transferred from the first secure virtual machine bridge component to the last secure virtual machine bridge component in turn, ensuring that the data can be returned to the first virtual machine network after passing through multiple secure virtual machines bridge.
可选地,任一安全虚拟机网桥组件上还包括第五端口和第六端口,任一安全虚拟机网桥组件上的第五端口和第六端口用于连接一个安全虚拟机;流表用于指示任一安全虚拟机网桥组件上第三端口发送的数据由位于同一安全虚拟机网桥组件的第五端口发送出去,任一安全虚拟机网桥组件上第五端口发送的数据由位于同一安全虚拟机网桥组件的第三端口发送出去;流表还用于指示任一安全虚拟机网桥组件上第六端口发送的数据由位于同一安全虚拟机网桥组件的第四端口发送出去,任一安全虚拟机网桥组件上第四端口发送的数据由位于同一安全虚拟机网桥组件的第六端口发送出去。Optionally, any secure virtual machine bridge component further includes a fifth port and a sixth port, and the fifth port and sixth port on any secure virtual machine bridge component are used to connect to a secure virtual machine; flow table Used to indicate that the data sent by the third port on any secure virtual machine bridge component is sent by the fifth port on the same secure virtual machine bridge component, and the data sent by the fifth port on any secure virtual machine bridge component is sent by The third port of the bridge component of the same secure virtual machine is sent out; the flow table is also used to indicate that the data sent from the sixth port of any secure virtual machine bridge component is sent by the fourth port of the bridge component of the same secure virtual machine Out, the data sent by the fourth port on any secure virtual machine bridge component is sent out by the sixth port on the same secure virtual machine bridge component.
通过上述路由规则,就可以实现将安全虚拟机网桥组件上接收到的数据发送至与其连接的虚拟机,并将从与其连接的虚拟机处接收到的数据发送至其他安全虚拟机网桥组件或第一虚拟机网桥。Through the above routing rules, it is possible to send the data received on the secure virtual machine bridge component to the virtual machine connected to it, and send the data received from the virtual machine connected to it to other secure virtual machine bridge components Or the first virtual machine bridge.
可选地,第一虚拟机网桥中还包括第七端口,第七端口和第一虚拟机连接,流表用于指示第七端口接收到的数据由第一端口发送出去,第一端口接收到的数据由第七端口发送出去。Optionally, the first virtual machine bridge further includes a seventh port, which is connected to the first virtual machine, and the flow table is used to indicate that the data received by the seventh port is sent by the first port, and the first port receives The received data is sent out through the seventh port.
通过该路由规则,就可以实现将第一虚拟机网桥接收到的数据发送至第一虚拟机,或者,将第一虚拟机网桥从第一虚拟机处接收到的数据发送出去。Through this routing rule, it is possible to send the data received by the first virtual machine bridge to the first virtual machine, or to send the data received by the first virtual machine bridge from the first virtual machine.
可选地,第一虚拟机网桥中还包括第八端口,集成网桥中包括第九端口,第八端口和第九端口连接;流表还用于指示第二端口接收到的数据由第八端口发送出去,第八端口接收到的数据由第九端口发送出去。Optionally, the first virtual machine bridge further includes an eighth port, and the integrated bridge includes a ninth port, and the eighth port is connected to the ninth port; the flow table is also used to indicate that the data received by the second port is The eighth port is sent out, and the data received by the eighth port is sent out by the ninth port.
通过该路由规则,可以实现将第一虚拟机网桥接收到的数据发送至集成网桥,或将集成网桥接收到的数据发送至第一虚拟机网桥。Through this routing rule, it is possible to send the data received by the first virtual machine bridge to the integrated network bridge, or send the data received by the integrated network bridge to the first virtual machine bridge.
可选地,集成网桥还包括第十端口,第二虚拟机网桥还包括第十一端口和第十二端口,第十端口和第十一端口连接,第十二端口与第二虚拟机连接;流表还用于指示第九端口接收到的数据由第十端口发送出去,第十端口接收到的数据由第九端口发送出去;流表还用于指示第十一端口接收到的数据由第十二端口发送出去,第十二端口接收到的数据由第十一端口发送出去。Optionally, the integrated bridge further includes a tenth port, the second virtual machine bridge also includes an eleventh port and a twelfth port, the tenth port and the eleventh port are connected, and the twelfth port is connected to the second virtual machine Connection; the flow table is also used to indicate that the data received by the ninth port is sent by the tenth port, and the data received by the tenth port is sent by the ninth port; the flow table is also used to indicate the data received by the eleventh port It is sent out by the twelfth port, and the data received by the twelfth port is sent out by the eleventh port.
通过该路由规则,可以实现将第一虚拟机网桥接收到的数据通过集成网桥发送至第二虚拟机网桥,或者将第二虚拟机网桥接收到的数据通过集成网桥发送至第一虚拟机网桥。Through this routing rule, the data received by the first virtual machine bridge can be sent to the second virtual machine bridge through the integrated bridge, or the data received by the second virtual machine bridge can be sent to the second virtual machine bridge through the integrated bridge. A virtual machine bridge.
可选地,任一安全虚拟机网桥组件包括第一安全虚拟机网桥和第二安全虚拟机网桥;第一安全虚拟机网桥上部署有第三端口和第五端口,第二安全虚拟机网桥上部署有第四端口和第六端口。Optionally, any secure virtual machine bridge component includes a first secure virtual machine bridge and a second secure virtual machine bridge; a third port and a fifth port are deployed on the first secure virtual machine bridge, and the second secure A fourth port and a sixth port are deployed on the virtual machine bridge.
通过这种设置,可以将发送至安全虚拟机的数据的传输路径和安全虚拟机发送的数据的传输路径通过不同的网桥实现,以便于SDN控制器制作流表。Through this setting, the transmission path of the data sent to the secure virtual machine and the transmission path of the data sent by the secure virtual machine can be implemented through different bridges, so that the SDN controller can make a flow table.
可选地,虚拟交换机是由软件定义网络SDN控制器创建的,流表由SDN控制器下发至虚拟交换机。Optionally, the virtual switch is created by a software-defined network SDN controller, and the flow table is delivered to the virtual switch by the SDN controller.
第二方面,提供了一种虚拟网络中的数据引流方法,其特征在于,应用于权利要求1至11任一的数据引流装置,该方法包括:虚拟交换机接收第一虚拟机发送的第一数据;虚拟交换机根据流表将第一数据转发至安全服务节点,以指示安全服务节点对第一数据进行处理,流表用于指示虚拟交换机传输数据的路由规则;当虚拟交换机接收到安全服务节点发送的第一数据时,根据流表将第一数据发送至第二虚拟机。In a second aspect, a data diversion method in a virtual network is provided, which is characterized in that it is applied to the data diversion device of any one of claims 1 to 11, and the method includes: the virtual switch receives the first data sent by the first virtual machine ; The virtual switch forwards the first data to the security service node according to the flow table to instruct the security service node to process the first data. The flow table is used to indicate the routing rules for the virtual switch to transmit data; when the virtual switch receives the security service node to send The first data is sent to the second virtual machine according to the flow table.
可选地,虚拟交换机包括第一虚拟机网桥、第二虚拟机网桥、安全监测网桥模块和集成网桥;虚拟交换机接收第一虚拟机发送的第一数据,包括:第一虚拟机网桥接收第一虚拟机发送的第一数据;相应地,虚拟交换机根据流表将第一数据转发至安全服务节点,以指示安全服务节点对第一数据进行处理,包括:第一虚拟机网桥根据流表将第一数据发送至安全监测网桥模块;安全监测网桥模块根据流表将接收到的第一数据转发给安全服务节点,以指示安全服务节点对第一数据进行处理;相应地,当虚拟交换机接收到安全服务节点发送的第一数据时,根据流表将第一数据发送至第二虚拟机,包括:安全监测网桥模块根据流表将安全服务节点发送的第一数据发送至第一虚拟机网桥;第一虚拟机网桥在接收到安全监测网桥模块发送的第一数据时,根据流表将第一数据发送至集成网桥;集成网桥在接收到第一数据时,根据流表将第一数据发送至第二虚拟机网桥,由第二虚拟机网桥根据流表将第一数据发送至第二虚拟机。Optionally, the virtual switch includes a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integrated bridge; the virtual switch receives the first data sent by the first virtual machine, including: the first virtual machine The network bridge receives the first data sent by the first virtual machine; accordingly, the virtual switch forwards the first data to the security service node according to the flow table to instruct the security service node to process the first data, including: the first virtual machine network The bridge sends the first data to the safety monitoring bridge module according to the flow table; the safety monitoring bridge module forwards the received first data to the safety service node according to the flow table to instruct the safety service node to process the first data; accordingly; Ground, when the virtual switch receives the first data sent by the security service node, it sends the first data to the second virtual machine according to the flow table, including: the security monitoring bridge module sends the first data sent by the security service node according to the flow table Send to the first virtual machine bridge; when the first virtual machine bridge receives the first data sent by the safety monitoring bridge module, it sends the first data to the integrated bridge according to the flow table; the integrated bridge receives the first data When there is a data, the first data is sent to the second virtual machine bridge according to the flow table, and the second virtual machine bridge sends the first data to the second virtual machine according to the flow table.
可选地,安全服务节点包括第一安全虚拟机,安全监测网桥模块包括第一安全虚拟机网桥组件;第一虚拟机网桥根据流表将第一数据发送至安全监测网桥模块,包括:当第一虚拟机网桥接收到第一虚拟机发送的第一数据时,第一虚拟机网桥通过第一端口发送第一数据;相应地,安全监测网桥模块根据流表将接收到的第一数据转发给安全服务节点,用于指示安全服务节点对第一数据进行处理,包括:第一安全虚拟机网桥组件通过第三端口接收第一数据,并将第一数据发送至第一安全虚拟机,第一端口和第一安全虚拟机网桥组件上的第三端口是互为配对的一对端口。Optionally, the security service node includes a first security virtual machine, and the security monitoring bridge module includes a first security virtual machine bridge component; the first virtual machine bridge sends the first data to the security monitoring bridge module according to the flow table, Including: when the first virtual machine bridge receives the first data sent by the first virtual machine, the first virtual machine bridge sends the first data through the first port; accordingly, the security monitoring bridge module receives the first data according to the flow table The received first data is forwarded to the security service node for instructing the security service node to process the first data, including: the first security virtual machine bridge component receives the first data through the third port, and sends the first data to For the first secure virtual machine, the first port and the third port on the bridge component of the first secure virtual machine are a pair of ports that are paired with each other.
可选地,安全监测网桥模块根据流表将安全服务节点发送的第一数据发送至第一虚拟机网桥,包括:当第一安全虚拟机网桥组件接收到第一安全虚拟机发送的第一数据时,第一安全虚拟机网桥组件通过第四端口发送第一数据;Optionally, the security monitoring bridge module sends the first data sent by the security service node to the first virtual machine bridge according to the flow table, including: when the first secure virtual machine bridge component receives the data sent by the first secure virtual machine For the first data, the first secure virtual machine bridge component sends the first data through the fourth port;
第一虚拟机网桥通过第二端口接收第一数据,第二端口和第一安全虚拟机网桥组件上的第四端口是互为配对的一对端口。The first virtual machine bridge receives the first data through the second port, and the second port and the fourth port on the first secure virtual machine bridge component are a pair of ports that are paired with each other.
可选地,安全服务节点包括N个安全虚拟机,安全监测网桥模块包括N个安全虚拟机网桥组件,N个安全虚拟机和N个安全虚拟机网桥组件之间一一对应,N为大于或等于2的正整数;第一虚拟机网桥根据流表将第一数据发送至安全监测网桥模块,包括:当第一虚拟机网桥接收到第一虚拟机发送的第一数据时,第一虚拟机网桥组件通过第一端口发送第一数据,N个安全虚拟机网桥组件按照参考顺序排序后的第一个安全虚拟机网桥组件通过第三端口接收第一数据,第一端口和排序之后的第一个安全虚拟机网桥组件上的第三端口是互为配对的一对端口;相应地,安全监测网桥模块根据流表将接收到的第一数据转发给安全服务节点,以指示安全服务节点对第一数据进行处理,包括:第一个安全虚拟机网桥组件将第一数据发送至相应安全虚拟机,以指示相应安全虚拟机对第一数据进行处理,第一个安全虚拟机网桥组件接收相应安全虚拟机发送的第一数据,由第一个安全虚拟机网桥组件将第一数据发送至第二个安全虚拟机;对于排序之后的第i个安 全虚拟机网桥组件,第i个安全虚拟机网桥组件接收第i-1个安全虚拟机网桥组件发送的第一数据,并将第一数据发送至相应安全虚拟机,以指示相应安全虚拟机对第一数据进行处理,并将第一数据返回至第i个安全虚拟机网桥组件,i为大于等于2且小于等于N的正整数,N个安全虚拟机网桥组件按照参考顺序排序之后每相邻的两个安全虚拟机网桥组件上存在互为配对的一对端口。Optionally, the security service node includes N secure virtual machines, the security monitoring bridge module includes N secure virtual machine bridge components, and there is a one-to-one correspondence between N secure virtual machines and N secure virtual machine bridge components, N Is a positive integer greater than or equal to 2; the first virtual machine bridge sends the first data to the safety monitoring bridge module according to the flow table, including: when the first virtual machine bridge receives the first data sent by the first virtual machine When the first virtual machine bridge component sends the first data through the first port, the first secure virtual machine bridge component of the N secure virtual machine bridge components sorted in the reference order receives the first data through the third port, The first port and the third port on the first security virtual machine bridge component after sorting are a pair of ports; accordingly, the security monitoring bridge module forwards the received first data to The security service node instructs the security service node to process the first data, including: the first security virtual machine bridge component sends the first data to the corresponding security virtual machine to instruct the corresponding security virtual machine to process the first data , The first secure virtual machine bridge component receives the first data sent by the corresponding secure virtual machine, and the first secure virtual machine bridge component sends the first data to the second secure virtual machine; for the i-th after sorting Secure virtual machine bridge components, the i-th secure virtual machine bridge component receives the first data sent by the i-1th secure virtual machine bridge component, and sends the first data to the corresponding secure virtual machine to indicate the corresponding The secure virtual machine processes the first data and returns the first data to the i-th secure virtual machine bridge component, where i is a positive integer greater than or equal to 2 and less than or equal to N, and the N secure virtual machine bridge components follow the reference After the sequence is sorted, there is a pair of ports that are paired with each other on every two adjacent security virtual machine bridge components.
可选地,安全监测网桥模块根据流表将安全服务节点发送的第一数据发送至第一虚拟机网桥,包括:当排序后的最后一个安全虚拟机网桥组件接收到相应安全虚拟机发送的第一数据时,将第一数据通过第四端口发送;第一虚拟机网桥通过第二端口接收第一数据,第二端口和排序之后的最后一个安全虚拟机网桥组件上的第四端口是互为配对的一对端口。Optionally, the security monitoring bridge module sends the first data sent by the security service node to the first virtual machine bridge according to the flow table, including: when the last security virtual machine bridge component after sorting receives the corresponding secure virtual machine When the first data is sent, the first data is sent through the fourth port; the first virtual machine bridge receives the first data through the second port, the second port and the first data on the last secure virtual machine bridge component after sorting The four ports are a pair of ports paired with each other.
可选地,该方法还包括:虚拟交换机接收第二虚拟机针对第一数据发送的第二数据;虚拟交换机根据流表将第二数据转发至安全服务节点,以指示安全服务节点对第二数据进行处理;当虚拟交换机接收到安全服务节点发送的第二数据时,根据流表将第二数据发送至第一虚拟机。Optionally, the method further includes: the virtual switch receives the second data sent by the second virtual machine for the first data; the virtual switch forwards the second data to the security service node according to the flow table to instruct the security service node to respond to the second data Perform processing; when the virtual switch receives the second data sent by the security service node, it sends the second data to the first virtual machine according to the flow table.
可选地,虚拟交换机包括第一虚拟机网桥、第二虚拟机网桥、安全监测网桥模块和集成网桥;虚拟交换机接收第二虚拟机针对第一数据发送的第二数据,包括:Optionally, the virtual switch includes a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integrated bridge; the virtual switch receiving the second data sent by the second virtual machine for the first data includes:
第二虚拟机网桥接收第二虚拟机发送的第二数据;相应地,虚拟交换机根据流表将第二数据转发至安全服务节点,以指示安全服务节点对第二数据进行处理,包括:第二虚拟机网桥根据流表将第二数据发送至虚拟交换机中的集成网桥;集成网桥在接收到第二数据时,根据流表将第二数据发送至第一虚拟机网桥;第一虚拟机网桥在接收到集成网桥发送的第二数据时,根据流表将第二数据发送至安全监测网桥模块;安全监测网桥模块根据流表将接收到的第二数据转发给安全服务节点,以指示安全服务节点在对第二数据进行处理;相应地,当虚拟交换机接收到安全服务节点发送的第二数据时,根据流表将第二数据发送至第一虚拟机,包括:安全监测网桥模块根据流表将安全服务节点发送的第二数据发送至第一虚拟机网桥;当第一虚拟机网桥接收到安全监测网桥模块发送的第二数据时,根据流表将第二数据发送至第一虚拟机。The second virtual machine bridge receives the second data sent by the second virtual machine; accordingly, the virtual switch forwards the second data to the security service node according to the flow table to instruct the security service node to process the second data, including: The second virtual machine bridge sends the second data to the integrated bridge in the virtual switch according to the flow table; when the integrated bridge receives the second data, it sends the second data to the first virtual machine bridge according to the flow table; When a virtual machine bridge receives the second data sent by the integrated bridge, it sends the second data to the safety monitoring bridge module according to the flow table; the safety monitoring bridge module forwards the received second data to the safety monitoring bridge module according to the flow table The security service node instructs the security service node to process the second data; accordingly, when the virtual switch receives the second data sent by the security service node, it sends the second data to the first virtual machine according to the flow table, including : The security monitoring bridge module sends the second data sent by the security service node to the first virtual machine bridge according to the flow table; when the first virtual machine bridge receives the second data sent by the security monitoring bridge module, according to the flow The table sends the second data to the first virtual machine.
可选地,安全服务节点包括第一安全虚拟机,安全监测网桥模块包括第一安全虚拟机网桥组件;第一虚拟机网桥在接收到集成网桥发送的第二数据时,根据流表将第二数据发送至安全监测网桥模块,包括:当第一虚拟机网桥在接收到集成网桥发送的第二数据时,第一虚拟机网桥通过第二端口发送第二数据;第一安全虚拟机网桥组件通过第四端口接收第二数据,第二端口和第一安全虚拟机网桥组件上的第四端口是互为配对的一对端口。Optionally, the security service node includes a first security virtual machine, and the security monitoring bridge module includes a first security virtual machine bridge component; when the first virtual machine bridge receives the second data sent by the integrated bridge, The table sending the second data to the security monitoring bridge module includes: when the first virtual machine bridge receives the second data sent by the integrated bridge, the first virtual machine bridge sends the second data through the second port; The first secure virtual machine bridge component receives the second data through the fourth port, and the second port and the fourth port on the first secure virtual machine bridge component are a pair of ports that are paired with each other.
可选地,安全监测网桥模块根据流表将安全服务节点发送的第二数据发送至第一虚拟机网桥,包括:当第一安全虚拟机网桥组件接收到第一安全虚拟机发送的第二数据时,通过第一安全虚拟机网桥组件中的第三端口发送第二数据;第一虚拟机网桥通过第一端口接收第二数据。Optionally, the security monitoring bridge module sends the second data sent by the security service node to the first virtual machine bridge according to the flow table, including: when the first secure virtual machine bridge component receives the data sent by the first secure virtual machine For the second data, the second data is sent through the third port in the first secure virtual machine bridge component; the first virtual machine bridge receives the second data through the first port.
可选地,安全服务节点包括N个安全虚拟机,安全监测网桥模块包括N个安全虚拟机网桥组件,N个安全虚拟机和N个安全虚拟机网桥组件之间一一对应,N为大于或等于2的正整数;第一虚拟机网桥在接收到集成网桥发送的第二数据时,根据流表将第二数据 发送至安全监测网桥模块,包括:当第一虚拟机网桥接收到集成网桥发送的第二数据时,第一虚拟机网桥组件通过第二端口发送第二数据,N个安全虚拟机网桥组件按照参考顺序排序后的最后一个安全虚拟机网桥组件通过第四端口接收第二数据,第二端口和排序之后的最后一个安全虚拟机网桥组件上的第四端口是互为配对的一对端口;Optionally, the security service node includes N secure virtual machines, the security monitoring bridge module includes N secure virtual machine bridge components, and there is a one-to-one correspondence between N secure virtual machines and N secure virtual machine bridge components, N Is a positive integer greater than or equal to 2; when the first virtual machine bridge receives the second data sent by the integrated bridge, it sends the second data to the safety monitoring bridge module according to the flow table, including: when the first virtual machine When the network bridge receives the second data sent by the integrated network bridge, the first virtual machine bridge component sends the second data through the second port, and the last secure virtual machine network of the N secure virtual machine bridge components sorted in the reference order The bridge component receives the second data through the fourth port, and the second port and the fourth port on the last security virtual machine bridge component after sorting are a pair of ports that are paired with each other;
相应地,安全监测网桥模块根据流表将接收到的第二数据转发给安全服务节点,以指示安全服务节点在对第二数据进行处理,包括:Correspondingly, the security monitoring bridge module forwards the received second data to the security service node according to the flow table to instruct the security service node to process the second data, including:
最后一个安全虚拟机网桥组件将第二数据发送至相应安全虚拟机,以指示相应安全虚拟机对第二数据进行处理,并将第二数据返回至最后一个安全虚拟机网桥组件,由最后一个安全虚拟机网桥组件将第二数据发送至排序后的倒数第二个安全虚拟机网桥组件;The last secure virtual machine bridge component sends the second data to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the second data and return the second data to the last secure virtual machine bridge component. A secure virtual machine bridge component sends the second data to the penultimate secure virtual machine bridge component after sorting;
对于排序之后的第j个安全虚拟机网桥组件,第j个安全虚拟机网桥组件接收第j+1个安全虚拟机网桥组件发送的第二数据,并将第二数据发送至相应安全虚拟机,以指示相应安全虚拟机对第二数据进行处理,并将第二数据返回至第j个安全虚拟机网桥组件,j为大于等于1且小于等于N-1的正整数,N个安全虚拟机网桥组件按照参考顺序排序之后每相邻的两个安全虚拟机网桥组件上存在互为配对的一对端口。For the j-th secure virtual machine bridge component after sorting, the j-th secure virtual machine bridge component receives the second data sent by the j+1-th secure virtual machine bridge component, and sends the second data to the corresponding security Virtual machine to instruct the corresponding secure virtual machine to process the second data and return the second data to the j-th secure virtual machine bridge component, where j is a positive integer greater than or equal to 1 and less than or equal to N-1, and N After the secure virtual machine bridge components are sorted according to the reference order, there is a pair of ports that are paired with each other on every two adjacent secure virtual machine bridge components.
可选地,安全监测网桥模块根据流表将安全服务节点发送的第二数据发送至第一虚拟机网桥,包括:当排序后的第一个安全虚拟机网桥组件接收到相应安全虚拟机发送的第二数据时,将第二数据通过第三端口发送;第一虚拟机网桥通过第一端口接收第二数据,第一端口和排序之后的第一个安全虚拟机网桥组件上的第三端口是互为配对的一对端口。Optionally, the security monitoring bridge module sends the second data sent by the security service node to the first virtual machine bridge according to the flow table, including: when the first sorted secure virtual machine bridge component receives the corresponding secure virtual When the second data is sent by the computer, the second data is sent through the third port; the first virtual machine bridge receives the second data through the first port, and the first port and the first secure virtual machine bridge component after sorting The third port is a pair of ports that are paired with each other.
上述第二方面提供的虚拟网络中的数据引流方法的有益效果可以参考第一方面提供的装置的有益效果,在此不再赘述。For the beneficial effects of the data diversion method in the virtual network provided in the second aspect described above, reference may be made to the beneficial effects of the apparatus provided in the first aspect, which will not be repeated here.
附图说明Description of the drawings
图1是本申请实施例提供的一种虚拟化网络中的主机的结构示意图;FIG. 1 is a schematic structural diagram of a host in a virtualized network provided by an embodiment of the present application;
图2是本申请实施例提供的一种虚拟网络中的数据引流装置的结构示意图;2 is a schematic structural diagram of a data diversion device in a virtual network provided by an embodiment of the present application;
图3是本申请实施例提供的另一种数据引流装置的结构示意图;3 is a schematic structural diagram of another data drainage device provided by an embodiment of the present application;
图4是本申请实施例提供的另一种数据引流装置示意图;FIG. 4 is a schematic diagram of another data drainage device provided by an embodiment of the present application;
图5是本申请实施例提供的一种虚拟网络中的数据引流方法流程图;FIG. 5 is a flowchart of a data diversion method in a virtual network provided by an embodiment of the present application;
图6是本申请实施例提供的另一种虚拟网络中的数据引流方法流程图。Fig. 6 is a flowchart of another data diversion method in a virtual network provided by an embodiment of the present application.
具体实施方式Detailed ways
为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步地详细描述。In order to make the objectives, technical solutions, and advantages of the present application clearer, the following will further describe the embodiments of the present application in detail with reference to the accompanying drawings.
在对本申请实施例提供的虚拟网络中的数据引流装置及数据引流方法进行解释说明之前,先对本申请实施例的应用场景进行解释说明。Before explaining the data diversion device and data diversion method in the virtual network provided by the embodiment of the present application, the application scenario of the embodiment of the present application will be explained first.
在非虚拟化网络中,如果需要对两个网络设备之间传输的数据进行安全监测,则可以在两个网络设备之间串联入侵防御系统(instruction prevention system,IPS)或入侵检测系统(instruction detection system,IDS)等安全设备,以将两个网络设备 之间传输的数据引流至该安全设备,从而进行安全监测。而在虚拟化网络中,虚拟化的特性打破了传统的网络边界。如果需要对两个虚拟机之间传输的数据进行安全监测,此时由于路由配置的复杂和云场景本身实现的一些限制,将安全设备串联在网络中以实现数据引流的方式在虚拟化网络中难以实现。因此,本申请实施例提供了一种虚拟化网络中的数据引流装置及数据引流方法。图1是本申请实施例提供的一种虚拟化网络中的主机的结构示意图。如图1所示,主机100中安装有操作系统101,操作系统101上运行有多个虚拟机,各个虚拟机之间可以进行数据传输。本申请实施例提供的数据引流装置及数据引流方法可以应用于位于同一主机的两个虚拟机之间,也可以应用于位于不同的主机的两个虚拟机之间。In a non-virtualized network, if you need to monitor the data transmitted between two network devices, you can connect an intrusion prevention system (instruction prevention system, IPS) or an intrusion detection system (instruction detection system) in series between the two network devices. system, IDS) and other security devices to divert data transmitted between two network devices to the security device for security monitoring. In virtualized networks, the characteristics of virtualization break the traditional network boundaries. If you need to perform security monitoring on the data transmitted between two virtual machines, at this time due to the complexity of the routing configuration and some limitations of the cloud scenario itself, connect the security device in series in the network to achieve data drainage in the virtualized network hard to accomplish. Therefore, the embodiment of the present application provides a data diversion device and a data diversion method in a virtualized network. Fig. 1 is a schematic structural diagram of a host in a virtualized network provided by an embodiment of the present application. As shown in FIG. 1, an operating system 101 is installed in the host 100, and multiple virtual machines are running on the operating system 101, and data can be transmitted between each virtual machine. The data diversion device and data diversion method provided in the embodiments of the present application can be applied between two virtual machines located on the same host, and can also be applied between two virtual machines located on different hosts.
接下来对本申请实施例提供的数据引流装置进行详细解释说明。Next, the data drainage device provided by the embodiment of the present application will be explained in detail.
图2是本申请实施例提供的一种虚拟网络中的数据引流装置的结构示意图。如图2所示,该数据引流装置200包括第一虚拟机201、第二虚拟机202、安全服务节点203和虚拟交换机204。第一虚拟机201、第二虚拟机202、安全服务节点203分别与虚拟交换机204连接。其中,虚拟交换机204用于根据流表将第一虚拟机201和第二虚拟机202之间传输的数据转发至安全服务节点203,以指示安全服务节点203对第一数据进行处理,流表用于指示虚拟交换机204传输数据的路由规则。FIG. 2 is a schematic structural diagram of a data diversion device in a virtual network provided by an embodiment of the present application. As shown in FIG. 2, the data diversion device 200 includes a first virtual machine 201, a second virtual machine 202, a security service node 203 and a virtual switch 204. The first virtual machine 201, the second virtual machine 202, and the security service node 203 are respectively connected to the virtual switch 204. The virtual switch 204 is used to forward the data transmitted between the first virtual machine 201 and the second virtual machine 202 to the security service node 203 according to the flow table, so as to instruct the security service node 203 to process the first data, and the flow table uses It indicates the routing rules for the virtual switch 204 to transmit data.
由于第一虚拟机、第二虚拟机、安全服务节点分别与虚拟交换机连接,而流表用于指示虚拟交换机传输数据的路由规则,因此,在本申请实施例中,通过在第一虚拟机、第二虚拟机、安全服务节点之间创建的虚拟交换机以及流表即可实现将数据引流至安全服务节点。整个数据引流过程中无需通过虚拟机网关对数据进行封装,也无需虚拟机通过内存传递的方式进行数据引流。这样对于安全服务节点而言,也就无需预先明确虚拟网关封装数据采用的协议,也无需预先定制开发与虚拟机的内存匹配的API接口。因此,通过本申请实施例提供的数据引流装置,无需对第三方提供的安全服务节点预先进行大量的适配工作,从而提高了数据引流装置的应用灵活性。Since the first virtual machine, the second virtual machine, and the security service node are respectively connected to the virtual switch, and the flow table is used to indicate the routing rules for the virtual switch to transmit data, in the embodiment of the present application, the first virtual machine, The virtual switch and flow table created between the second virtual machine, the security service node, and the flow table can implement data diversion to the security service node. There is no need to encapsulate the data through the virtual machine gateway during the entire data flow process, and there is no need for the virtual machine to conduct data flow through memory transfer. In this way, for the security service node, there is no need to specify the protocol used by the virtual gateway to encapsulate data in advance, and there is no need to customize and develop an API interface that matches the memory of the virtual machine in advance. Therefore, with the data drainage device provided by the embodiment of the present application, there is no need to perform a large amount of adaptation work on the security service node provided by a third party in advance, thereby improving the application flexibility of the data drainage device.
其中,虚拟交换机204可以由软件定义网络(software define network,SDN)控制器创建。当然,虚拟交换机204也可以由其他类型的网络控制器创建,在此就不再一一举例说明。流表可以由SDN控制器下发至虚拟交换机204。流表具体可以为基于openflow(一种网上通信协议)的流表。The virtual switch 204 may be created by a software defined network (software define network, SDN) controller. Of course, the virtual switch 204 can also be created by other types of network controllers, which will not be illustrated one by one here. The flow table may be issued to the virtual switch 204 by the SDN controller. The flow table may specifically be a flow table based on openflow (an online communication protocol).
下面对本申请实施例提供的虚拟交换机的结构进行详细说明:The following describes in detail the structure of the virtual switch provided in the embodiment of the present application:
在一种可能的实现方式中,如图2所示,虚拟交换机204包括第一虚拟机网桥2041、第二虚拟机网桥2042、安全监测网桥模块2043和集成网桥2044。第一虚拟机201和第一虚拟机网桥2041连接。第二虚拟机202和第二虚拟机网桥2042连接。安全服务节点203与安全监测网桥模块2043连接。第一虚拟机网桥2041、第二虚拟机网桥2042、安全监测网桥模块2043分别与集成网桥2044连接。其中,第一虚拟机网桥2041、第二虚拟机网桥2042、安全监测网桥模块2043和集成网桥2044均可以通过SDN控制器创建。In a possible implementation manner, as shown in FIG. 2, the virtual switch 204 includes a first virtual machine bridge 2041, a second virtual machine bridge 2042, a security monitoring bridge module 2043, and an integrated network bridge 2044. The first virtual machine 201 is connected to the first virtual machine bridge 2041. The second virtual machine 202 is connected to the second virtual machine bridge 2042. The security service node 203 is connected to the security monitoring bridge module 2043. The first virtual machine bridge 2041, the second virtual machine bridge 2042, and the security monitoring bridge module 2043 are respectively connected to the integrated bridge 2044. Among them, the first virtual machine bridge 2041, the second virtual machine bridge 2042, the security monitoring bridge module 2043, and the integrated bridge 2044 can all be created by the SDN controller.
在本申请实施例中,为了使得安全监测网桥模块2043与其他网桥之间可以相互通信,以实现将数据引流至安全服务节点。可以在安全监测网桥模块2043与其他网桥之间创建互为配对的一对或多对端口。互为配对的一对端口是指一个端口发出的数据由另一个端 口接收、另一端口发送的数据由一个端口接收。并且具体在图2所示的数据引流装置中,流表用于指示在第一虚拟机网桥2041、第二虚拟机网桥2042、安全监测网桥模块2043和集成网桥2044中任一个的内部传递数据的路由规则。因此,在本申请实施例中,通过流表和创建的互为配对的一对或多对端口即可实现将数据引流至安全服务节点。In the embodiment of the present application, in order to enable the safety monitoring bridge module 2043 to communicate with other bridges, so as to realize data diversion to the safety service node. One or more pairs of ports that are paired with each other can be created between the security monitoring bridge module 2043 and other bridges. A pair of ports that are paired with each other means that the data sent by one port is received by the other port, and the data sent by the other port is received by one port. And specifically in the data diversion device shown in FIG. 2, the flow table is used to indicate any one of the first virtual machine bridge 2041, the second virtual machine bridge 2042, the security monitoring bridge module 2043, and the integrated bridge 2044. Routing rules for internal data transfer. Therefore, in the embodiment of the present application, data can be drained to the security service node through the flow table and the created one or more pairs of ports that are paired with each other.
具体地,虚拟交换机204可以有以下两种可能的结构:Specifically, the virtual switch 204 may have the following two possible structures:
第一种可能的结构,第一虚拟机网桥2041和安全监测网桥模块2043上存在互为配对的二对端口。如此,第一虚拟机网桥2041就可以通过其中的一对互为配对的端口将数据引流至安全监测网桥模块2043,安全监测网桥模块2043接收到安全服务节点203反馈的数据时,可以通过另一对互为配对的端口将数据返回至第一虚拟机网桥2041,以通过第一虚拟机网桥2041、集成网桥2044和第二虚拟机网桥2042将数据发送至第二虚拟机202。In the first possible structure, there are two pairs of ports that are paired with each other on the first virtual machine bridge 2041 and the security monitoring bridge module 2043. In this way, the first virtual machine bridge 2041 can divert data to the safety monitoring bridge module 2043 through a pair of ports that are paired with each other. When the safety monitoring bridge module 2043 receives the data feedback from the safety service node 203, it can The data is returned to the first virtual machine bridge 2041 through another pair of mutually paired ports to send the data to the second virtual machine through the first virtual machine bridge 2041, the integrated bridge 2044, and the second virtual machine bridge 2042机202.
当第一虚拟机201和第二虚拟机202之间的数据无需引流至安全服务节点时,此时第一虚拟机201和第二虚拟机202之间的数据是通过第一虚拟网桥2041、第二虚拟网桥2042和集成网桥2044传输的。比如,当第一虚拟机201发送数据时,该数据传输至第二虚拟机202的路径为第一虚拟网桥2041→集成网桥2044→第二虚拟网桥2042。因此,通过上述第一种可能的结构进行数据引流,可以兼容虚拟机之间传输数据的原有路径,避免了对流表修改太多,从而提高了该数据引流装置的应用灵活性。When the data between the first virtual machine 201 and the second virtual machine 202 does not need to be drained to the security service node, at this time, the data between the first virtual machine 201 and the second virtual machine 202 passes through the first virtual bridge 2041. The second virtual bridge 2042 and the integrated bridge 2044 are transmitted. For example, when the first virtual machine 201 sends data, the data transmission path to the second virtual machine 202 is the first virtual bridge 2041→the integrated bridge 2044→the second virtual bridge 2042. Therefore, data diversion through the above-mentioned first possible structure can be compatible with the original data transmission path between virtual machines, avoid too much modification of the flow table, thereby improving the application flexibility of the data diversion device.
第二种可能的结构,可以在第一虚拟机网桥2041和安全监测网桥模块2043上创建互为配对的一对端口,在安全监测网桥模块2043和第二虚拟机网桥2042上创建互为配对的另一对端口。如此,第一虚拟机网桥2041就可以将数据引流至安全监测网桥模块2043,安全监测网桥模块2043接收到安全服务节点203反馈的数据时,可以将数据发送至第二虚拟机网桥2042,以实现将数据发送至第二虚拟机202。但是,在这种情况下,需要对现有的流表进行大量修改,不利于该数据引流装置的推广。The second possible structure can create a pair of ports on the first virtual machine bridge 2041 and the security monitoring bridge module 2043, and create a pair of ports on the security monitoring bridge module 2043 and the second virtual machine bridge 2042. It is another pair of ports that are paired with each other. In this way, the first virtual machine bridge 2041 can divert data to the safety monitoring bridge module 2043. When the safety monitoring bridge module 2043 receives the data fed back from the safety service node 203, it can send the data to the second virtual machine bridge 2042, to realize sending data to the second virtual machine 202. However, in this case, a large number of modifications to the existing flow table are required, which is not conducive to the promotion of the data drainage device.
另外,在虚拟化网络中,安全虚拟机(secure virutal machine,SVM)可以对数据进行安全监测。所以,在本申请实施例中,安全服务节点可以包括一个安全虚拟机,以通过该安全虚拟机对数据进行安全监测。当然,安全服务节点可以包括多个安全虚拟机,以分别通过多个安全虚拟机中的每个安全虚拟机对数据进行安全监测。因此,针对上述第一种可能的结构,图2所示的数据引流装置可以具体有以下两种结构。In addition, in a virtualized network, a secure virtual machine (SVM) can safely monitor data. Therefore, in the embodiment of the present application, the security service node may include a security virtual machine to perform security monitoring on data through the security virtual machine. Of course, the security service node may include multiple security virtual machines to perform security monitoring on data through each of the multiple security virtual machines. Therefore, for the first possible structure described above, the data drainage device shown in FIG. 2 may specifically have the following two structures.
图3是本申请实施例提供的另一种数据引流装置的结构示意图。如图3所示,安全服务节点203包括第一安全虚拟机2031,安全监测网桥模块2043包括第一安全虚拟机网桥组件20431,第一安全虚拟机2031和第一安全虚拟机网桥组件20431连接,第一虚拟机网桥2031中包括第一端口和第二端口,第一安全虚拟机网桥组件20431包括第三端口和第四端口。其中,第一端口和第一安全虚拟机网桥组件20431上的第三端口是互为配对的一对端口,第二端口和第一安全虚拟机网桥组件20431上的第四端口是互为配对的一对端口。Fig. 3 is a schematic structural diagram of another data drainage device provided by an embodiment of the present application. As shown in Figure 3, the security service node 203 includes a first secure virtual machine 2031, and the security monitoring bridge module 2043 includes a first secure virtual machine bridge component 20431, a first secure virtual machine 2031 and a first secure virtual machine bridge component 20431 connection, the first virtual machine bridge 2031 includes a first port and a second port, and the first secure virtual machine bridge component 20431 includes a third port and a fourth port. The first port and the third port on the first secure virtual machine bridge component 20431 are a pair of ports that are paired with each other, and the second port and the fourth port on the first secure virtual machine bridge component 20431 are mutually complementary. Paired pair of ports.
也即是,在图3所示的数据引流装置中,安全服务节点只包括一个安全虚拟机,安全监测网桥模块也只包括一个安全虚拟机网桥组件,这样只需将数据引流至一个安全虚拟机即可。That is, in the data diversion device shown in Figure 3, the security service node only includes a secure virtual machine, and the security monitoring bridge module also includes only a secure virtual machine bridge component, so that only a secure virtual machine bridge component is needed. The virtual machine is fine.
图4是本申请实施例提供的另一种数据引流装置示意图。如图4所示,安全服务节 点203包括N个安全虚拟机2032。安全监测网桥模块2043包括N个安全虚拟机网桥组件20432。N个安全虚拟机2032和N个安全虚拟机网桥组件20432一一对应。N个安全虚拟机网桥组件20432按照参考顺序排序之后每相邻的两个安全虚拟机网桥组件20432上存在互为配对的一对端口。N为大于或等于2的正整数,第一虚拟机网桥2041包括第一端口和第二端口。每个安全虚拟机网桥组件20432包括第三端口和第四端口。第一端口和排序之后的第一个安全虚拟机网桥组件20432上的第三端口是互为配对的一对端口。第二端口和排序之后的最后一个安全虚拟机网桥组件20432上的第四端口是互为配对的一对端口。Fig. 4 is a schematic diagram of another data drainage device provided by an embodiment of the present application. As shown in Fig. 4, the security service node 203 includes N security virtual machines 2032. The security monitoring bridge module 2043 includes N security virtual machine bridge components 20432. There is a one-to-one correspondence between the N secure virtual machines 2032 and the N secure virtual machine bridge components 20432. After the N secure virtual machine bridge components 20432 are sorted according to the reference order, there is a pair of ports that are paired with each other on every two adjacent secure virtual machine bridge components 20432. N is a positive integer greater than or equal to 2, and the first virtual machine bridge 2041 includes a first port and a second port. Each secure virtual machine bridge component 20432 includes a third port and a fourth port. The first port and the third port on the first secured virtual machine bridge component 20432 after sorting are a pair of ports that are paired with each other. The second port and the fourth port on the last secure virtual machine bridge component 20432 after sorting are a pair of ports that are paired with each other.
其中,由于第一端口和排序之后的第一个安全虚拟机网桥组件20432上的第三端口是互为配对的一对端口,因此第一虚拟机网桥2041可以将数据发送至排序之后的第一个安全虚拟机网桥组件20432。又由于N个安全虚拟机网桥组件20432按照参考顺序排序之后每相邻的两个安全虚拟机网桥组件20432上存在互为配对的一对端口,因此,可以依次将数据从第一个安全虚拟机网桥组件20432传输至最后一个安全虚拟机网桥组件20432。又由于第二端口和排序之后的最后一个安全虚拟机网桥组件20432上的第四端口是互为配对的一对端口,因此,在经过所有的安全虚拟机2032之后,还可以将数据返回至第一虚拟机网桥2041。Among them, because the first port and the third port on the first secure virtual machine bridge component 20432 after sorting are a pair of ports, the first virtual machine bridge 2041 can send data to the sorted first port. The first secure virtual machine bridge component 20432. Also, since the N secure virtual machine bridge components 20432 are sorted according to the reference order, there is a pair of ports on each two adjacent secure virtual machine bridge components 20432, so the data can be transferred from the first secure The virtual machine bridge component 20432 is transmitted to the last secure virtual machine bridge component 20432. Also, because the second port and the fourth port on the last secure virtual machine bridge component 20432 after sorting are a pair of ports that are paired with each other, after passing through all the secure virtual machines 2032, the data can also be returned to The first virtual machine bridge 2041.
也即是,在图4所示的数据引流装置中,安全服务节点203包括多个安全虚拟机2032,安全监测网桥模块2043也包括多个安全虚拟机网桥组件20432,这样可以将数据引流至多个安全虚拟机2032,以分别进行安全监测,提高了该数据引流装置的灵活性。That is, in the data drainage device shown in FIG. 4, the security service node 203 includes multiple security virtual machines 2032, and the security monitoring bridge module 2043 also includes multiple security virtual machine bridge components 20432, so that data can be drained To multiple security virtual machines 2032 to perform security monitoring separately, which improves the flexibility of the data drainage device.
图4中仅仅是以N为2进行举例说明,图4中的安全虚拟机2032的数量与安全虚拟机网桥组件20432的数量并不构成对N的具体限定。In FIG. 4, only N is 2 for illustration. The number of secure virtual machines 2032 and the number of secure virtual machine bridge components 20432 in FIG. 4 do not constitute a specific limitation on N.
另外,在图4所示的数据引流装置中,N个安全虚拟机网桥组件20432按照参考顺序排序之后每相邻的两个安全虚拟机网桥组件20432上存在互为配对的一对端口具体可以是指:对于排序之后的第i个安全虚拟机网桥组件20432,第i个安全虚拟机网桥组件20432上的第三端口与第i-1个安全虚拟机网桥组件20432的第四端口是互为配对的一对端口,i为大于等于2且小于等于N的正整数。比如,在图4中,第2个安全虚拟机网桥组件20432上的第三端口与第1个安全虚拟机网桥组件20432的第四端口是互为配对的一对端口。In addition, in the data diversion device shown in FIG. 4, after the N secure virtual machine bridge components 20432 are sorted according to the reference order, there is a pair of paired ports on every two adjacent secure virtual machine bridge components 20432. It can refer to: for the i-th secure virtual machine bridge component 20432 after sorting, the third port on the i-th secure virtual machine bridge component 20432 and the fourth port on the i-1th secure virtual machine bridge component 20432 Ports are a pair of ports that are paired with each other, and i is a positive integer greater than or equal to 2 and less than or equal to N. For example, in FIG. 4, the third port on the second secure virtual machine bridge component 20432 and the fourth port on the first secure virtual machine bridge component 20432 are a pair of ports that are paired with each other.
另外,如图3或图4所示,对于任一安全虚拟机网桥组件,该安全虚拟机网桥组件上还包括第五端口和第六端口,该安全虚拟机网桥组件上的第五端口和第六端口用于连接一个安全虚拟机。In addition, as shown in Figure 3 or Figure 4, for any secure virtual machine bridge component, the secure virtual machine bridge component further includes a fifth port and a sixth port, and the fifth port on the secure virtual machine bridge component The port and the sixth port are used to connect to a secure virtual machine.
此时,流表用于指示任一安全虚拟机网桥组件上第三端口发送的数据由位于同一安全虚拟机网桥组件的第五端口发送出去,任一安全虚拟机网桥组件上第五端口发送的数据由位于同一安全虚拟机网桥组件的第三端口发送出去。流表还用于指示任一安全虚拟机网桥组件上第六端口发送的数据由位于同一安全虚拟机网桥组件的第四端口发送出去,任一安全虚拟机网桥组件上第四端口发送的数据由位于同一安全虚拟机网桥组件的第六端口发送出去。通过上述路由规则,就可以实现将安全虚拟机网桥组件上接收到的数据发送至与其连接的虚拟机,并将从与其连接的虚拟机处接收到的数据发送至其他安全虚拟机网桥组件或第一虚拟机网桥。At this time, the flow table is used to indicate that the data sent by the third port on any secure virtual machine bridge component is sent from the fifth port on the same secure virtual machine bridge component, and the fifth port on any secure virtual machine bridge component The data sent by the port is sent out by the third port located in the same secure virtual machine bridge component. The flow table is also used to indicate that the data sent from the sixth port on any secure virtual machine bridge component is sent from the fourth port on the same secure virtual machine bridge component, and the fourth port on any secure virtual machine bridge component is sent The data of is sent out from the sixth port of the bridge component of the same secure virtual machine. Through the above routing rules, it is possible to send the data received on the secure virtual machine bridge component to the virtual machine connected to it, and send the data received from the virtual machine connected to it to other secure virtual machine bridge components Or the first virtual machine bridge.
另外,如图3或图4所示,第一虚拟机网桥中还包括第七端口,第七端口和第一虚拟机连接。此时,流表用于指示第七端口接收到的数据由第一端口发送出去,第一端口接收到的数据由第七端口发送出去。通过该路由规则,就可以实现将第一虚拟机网桥接收到的数据发送至第一虚拟机,或者,将第一虚拟机网桥从第一虚拟机处接收到的数据发送出去。In addition, as shown in FIG. 3 or FIG. 4, the first virtual machine bridge further includes a seventh port, which is connected to the first virtual machine. At this time, the flow table is used to indicate that the data received by the seventh port is sent by the first port, and the data received by the first port is sent by the seventh port. Through this routing rule, it is possible to send the data received by the first virtual machine bridge to the first virtual machine, or to send the data received by the first virtual machine bridge from the first virtual machine.
另外,如图3或图4所示,第一虚拟机网桥中还包括第八端口、集成网桥中包括第九端口,第八端口和第九端口连接。此时,流表还用于指示第二端口接收到的数据由第八端口发送出去,第八端口接收到的数据由第九端口发送出去。通过该路由规则,可以实现将第一虚拟机网桥接收到的数据发送至集成网桥,或将集成网桥接收到的数据发送至第一虚拟机网桥。In addition, as shown in FIG. 3 or FIG. 4, the first virtual machine bridge further includes an eighth port, the integrated bridge includes a ninth port, and the eighth port is connected to the ninth port. At this time, the flow table is also used to indicate that the data received by the second port is sent by the eighth port, and the data received by the eighth port is sent by the ninth port. Through this routing rule, it is possible to send the data received by the first virtual machine bridge to the integrated network bridge, or send the data received by the integrated network bridge to the first virtual machine bridge.
上述集成网桥还包括第十端口,第二虚拟机网桥还包括第十一端口和第十二端口,第十端口和所述第十一端口连接,第十二端口与所述第二虚拟机连接。此时,流表还用于指示第九端口接收到的数据由第十端口发送出去,第十端口接收到的数据由第九端口发送出去。流表还用于指示第十一端口接收到的数据由第十二端口发送出去,第十二端口接收到的数据由第十一端口发送出去。通过该路由规则,可以实现将第一虚拟机网桥接收到的数据通过集成网桥发送至第二虚拟机网桥,或者将第二虚拟机网桥接收到的数据通过集成网桥发送至第一虚拟机网桥。The above-mentioned integrated bridge further includes a tenth port, the second virtual machine bridge also includes an eleventh port and a twelfth port, the tenth port is connected to the eleventh port, and the twelfth port is connected to the second virtual machine.机连接。 Machine connection. At this time, the flow table is also used to indicate that the data received by the ninth port is sent by the tenth port, and the data received by the tenth port is sent by the ninth port. The flow table is also used to indicate that the data received by the eleventh port is sent by the twelfth port, and the data received by the twelfth port is sent by the eleventh port. Through this routing rule, the data received by the first virtual machine bridge can be sent to the second virtual machine bridge through the integrated bridge, or the data received by the second virtual machine bridge can be sent to the second virtual machine bridge through the integrated bridge. A virtual machine bridge.
另外,由于SDN控制器下发的流表通常是针对网桥下发的,因此,在本申请实施例中,对于任一安全虚拟机网桥组件,如图3或图4所示,该安全虚拟机网桥组件可以包括第一安全虚拟机网桥和第二安全虚拟机网桥,第一安全虚拟机网桥上部署有图3或图4中的第三端口和第五端口。第二安全虚拟机网桥上部署有图3或图4中的第四端口和第六端口。通过这种设置,可以将发送至安全虚拟机的数据的传输路径和安全虚拟机发送的数据的传输路径通过不同的网桥实现,以便于SDN控制器制作流表。In addition, because the flow table issued by the SDN controller is usually issued for the network bridge, in this embodiment of the application, for any secure virtual machine network bridge component, as shown in FIG. 3 or FIG. 4, the security The virtual machine bridge component may include a first secure virtual machine bridge and a second secure virtual machine bridge. The first secure virtual machine bridge is deployed with the third port and the fifth port in FIG. 3 or FIG. 4. The fourth port and the sixth port in FIG. 3 or FIG. 4 are deployed on the second secure virtual machine bridge. Through this setting, the transmission path of the data sent to the secure virtual machine and the transmission path of the data sent by the secure virtual machine can be implemented through different bridges, so that the SDN controller can make a flow table.
其中,在上述图3或图4所示的数据引流装置中,第一虚拟机网桥、第一安全虚拟机网桥、第二安全虚拟机网桥和第二虚拟机网桥的类型可以为liniux(一种操作系统)网桥。比如,可以将这类网桥命名为Br-ply网桥,当然可以命名其他名称。另外,在图3或图4所示的数据引流装置中,集成网桥的类型可以为开放式虚拟机交换机(open virtual switch,OVS)网桥。比如,可以将该类网桥命名为Br-int网桥,当然也可以命名其他名称。Among them, in the data diversion device shown in FIG. 3 or FIG. 4, the types of the first virtual machine bridge, the first secure virtual machine bridge, the second secure virtual machine bridge, and the second virtual machine bridge may be liniux (an operating system) bridge. For example, this type of bridge can be named Br-ply bridge, of course, other names can be named. In addition, in the data diversion device shown in FIG. 3 or FIG. 4, the type of integrated network bridge may be an open virtual machine switch (open virtual switch, OVS) bridge. For example, this type of bridge can be named Br-int bridge, of course, it can also be named other names.
另外,如图3或图4所示的数据引流装置,第一安全虚拟机网桥或第二安全虚拟机网桥也是通过端口与集成网桥连接的,在此就不再一一阐述。In addition, in the data diversion device shown in FIG. 3 or FIG. 4, the first secure virtual machine bridge or the second secure virtual machine bridge is also connected to the integrated bridge through a port, which will not be described here.
另外,对于图2-图4所示的数据引流装置,第一虚拟机、第二虚拟机以及安全虚拟机可以是同一主机上的虚拟机,也可以是不同主机上的虚拟机。其中,如果第一虚拟机和第二虚拟机之间需要互通数据,那么第一虚拟机、第二虚拟机以及安全虚拟机则需要部署在同一主机上。如果第一虚拟机仅需要单向向第二虚拟机发送数据,则只需限制第一虚拟机和安全虚拟机位于同一主机即可。同样地,如果第二虚拟机仅需要单向向第一虚拟机发送数据,则只需限制第二虚拟机和安全虚拟机位于同一主机即可。In addition, for the data diversion device shown in FIGS. 2 to 4, the first virtual machine, the second virtual machine, and the secure virtual machine may be virtual machines on the same host or virtual machines on different hosts. Among them, if the first virtual machine and the second virtual machine need to communicate data, the first virtual machine, the second virtual machine, and the secure virtual machine need to be deployed on the same host. If the first virtual machine only needs to send data to the second virtual machine in one direction, it is only necessary to restrict the first virtual machine and the secure virtual machine to be located on the same host. Similarly, if the second virtual machine only needs to send data to the first virtual machine in one direction, it is only necessary to restrict the second virtual machine and the secure virtual machine to be located on the same host.
接下来对本申请实施例提供的虚拟网络中的数据引流方法进行详细阐述。在本申请 实施例中,当第一虚拟机向第二虚拟机发送第一数据时,第一数据可以通过上述数据引流装置进行引流。当然,在第二虚拟机根据第一数据向第一虚拟机反馈第二数据时,由于对第二数据进行安全监测时通常需要参考第一数据,所以第二数据可以按照与第一数据的传输路径相反的路径进行传输,以实现对该第二数据进行引流。下述实施例将分别针对上述两个场景展开说明。Next, the data diversion method in the virtual network provided by the embodiment of the present application will be described in detail. In the embodiment of the present application, when the first virtual machine sends the first data to the second virtual machine, the first data can be drained through the above-mentioned data draining device. Of course, when the second virtual machine feeds back the second data to the first virtual machine based on the first data, since the first data is usually referred to when the second data is safely monitored, the second data can be transmitted according to the first data. The path opposite to the path is transmitted, so as to realize the drainage of the second data. The following embodiments will describe the above two scenarios respectively.
图5是本申请实施例提供的一种虚拟网络中的数据引流方法流程图,应用于图2至图4实施例所示的数据引流装置。如图5所示,该方法包括如下步骤:FIG. 5 is a flowchart of a data diversion method in a virtual network provided by an embodiment of the present application, which is applied to the data diversion device shown in the embodiments of FIGS. 2 to 4. As shown in Figure 5, the method includes the following steps:
步骤501:虚拟交换机接收第一虚拟机发送的第一数据。Step 501: The virtual switch receives the first data sent by the first virtual machine.
如图2所示,由于虚拟机交换机包括虚拟交换机包括第一虚拟机网桥。而第一虚拟机和第一虚拟机网桥连接。因此,在一种可能的实现方式中,步骤501可以为:第一虚拟机网桥接收第一虚拟机发送的第一数据。具体地,如图3或图4所示,第一虚拟机网桥的第七端口接收第一数据。As shown in FIG. 2, since the virtual machine switch includes the virtual switch, the first virtual machine bridge is included. The first virtual machine is connected to the first virtual machine by a bridge. Therefore, in a possible implementation manner, step 501 may be: the first virtual machine bridge receives the first data sent by the first virtual machine. Specifically, as shown in FIG. 3 or FIG. 4, the seventh port of the first virtual machine bridge receives the first data.
步骤502:虚拟交换机根据流表将第一数据转发至安全服务节点,以指示安全服务节点对第一数据进行处理,流表用于指示虚拟交换机传输数据的路由规则。Step 502: The virtual switch forwards the first data to the security service node according to the flow table, so as to instruct the security service node to process the first data. The flow table is used to indicate routing rules for the virtual switch to transmit data.
如图2所示,步骤502具体可以为:第一虚拟机网桥根据流表将第一数据发送至安全监测网桥模块;安全监测网桥模块根据流表将接收到的第一数据转发给安全服务节点,以指示安全服务节点对第一数据进行处理。As shown in Figure 2, step 502 may specifically be: the first virtual machine bridge sends the first data to the safety monitoring bridge module according to the flow table; the safety monitoring bridge module forwards the received first data to the safety monitoring bridge module according to the flow table The security service node instructs the security service node to process the first data.
其中,如图3所示,当安全服务节点包括第一安全虚拟机,安全监测网桥模块包括第一安全虚拟机网桥组件时,第一虚拟机网桥根据流表将第一数据发送至安全监测网桥模块的实现方式可以为:当第一虚拟机网桥接收到第一虚拟机发送的第一数据时,第一虚拟机网桥通过第一端口发送第一数据。相应地,安全监测网桥模块根据流表将接收到的第一数据转发给安全服务节点,用于指示安全服务节点对第一数据进行处理的实现方式可以为:第一安全虚拟机网桥组件通过第三端口接收第一数据,并将第一数据发送至第一安全虚拟机。Wherein, as shown in Figure 3, when the security service node includes the first secure virtual machine and the security monitoring bridge module includes the first secure virtual machine bridge component, the first virtual machine bridge sends the first data to the The security monitoring bridge module may be implemented as follows: when the first virtual machine bridge receives the first data sent by the first virtual machine, the first virtual machine bridge sends the first data through the first port. Correspondingly, the security monitoring bridge module forwards the received first data to the security service node according to the flow table, and is used to instruct the security service node to process the first data. The implementation manner may be: the first security virtual machine bridge component The first data is received through the third port, and the first data is sent to the first secure virtual machine.
另外,如图4所示,当安全服务节点包括N个安全虚拟机,安全监测网桥模块包括N个安全虚拟机网桥组件时,第一虚拟机网桥根据流表将第一数据发送至安全监测网桥模块,的实现方式可以为:当第一虚拟机网桥接收到第一虚拟机发送的第一数据时,第一虚拟机网桥组件通过第一端口发送第一数据,N个安全虚拟机网桥组件按照参考顺序排序后的第一个安全虚拟机网桥组件通过第三端口接收第一数据。In addition, as shown in Figure 4, when the security service node includes N security virtual machines and the security monitoring bridge module includes N security virtual machine bridge components, the first virtual machine bridge sends the first data to The security monitoring bridge module can be implemented as follows: when the first virtual machine bridge receives the first data sent by the first virtual machine, the first virtual machine bridge component sends the first data through the first port, and N The first secure virtual machine bridge component sorted according to the reference order receives the first data through the third port.
相应地,安全监测网桥模块根据流表将接收到的第一数据转发给安全服务节点,以指示安全服务节点对第一数据进行处理的实现方式可以为:第一个安全虚拟机网桥组件将第一数据发送至相应安全虚拟机,以指示相应安全虚拟机对第一数据进行处理,第一个安全虚拟机网桥组件接收相应安全虚拟机发送的第一数据,由第一个安全虚拟机网桥组件将第一数据发送至第二个安全虚拟机;对于排序之后的第i个安全虚拟机网桥组件,第i个安全虚拟机网桥组件接收第i-1个安全虚拟机网桥组件发送的第一数据,并将第一数据发送至相应安全虚拟机,以指示相应安全虚拟机对第一数据进行处理,并将第一数据返回至第i个安全虚拟机网桥组件,i为大于等于2且小于等于N的正整数,N个安全虚拟机网桥组件按照参考顺序排序之后每相邻的两个安全虚拟机网桥组件上存在互为配对的一对端口。Correspondingly, the security monitoring bridge module forwards the received first data to the security service node according to the flow table to instruct the security service node to process the first data. The implementation manner may be: the first security virtual machine bridge component The first data is sent to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the first data. The first secure virtual machine bridge component receives the first data sent by the corresponding secure virtual machine. The machine bridge component sends the first data to the second secure virtual machine; for the i-th secure virtual machine bridge component after sorting, the i-th secure virtual machine bridge component receives the i-1th secure virtual machine network The first data sent by the bridge component and the first data is sent to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the first data and return the first data to the i-th secure virtual machine bridge component, i is a positive integer greater than or equal to 2 and less than or equal to N. After the N secure virtual machine bridge components are sorted in a reference order, there is a pair of ports that are paired with each other on every two adjacent secure virtual machine bridge components.
其中,在上述针对图3和图4的两种实现方式中,对安全监测网桥模块中任一安全虚拟机网桥组件,当该安全虚拟机网桥组件通过第三端口接收到第一数据时,均需将第一数据发送至与其连接的安全虚拟机。具体地,如图3或图4所示,当该安全虚拟机网桥组件通过第三端口接收到第一数据时,可以通过该安全虚拟机网桥组件中的第五端口发送第一数据,以将第一数据发送至与安全虚拟机网桥组件对应的安全虚拟机。安全虚拟机在接收到第一数据之后,可以对该第一数据进行处理。并将第一数据返回至该安全虚拟机网桥组件。其中,如图3或图4所示,安全虚拟机网桥组件通过第六端口接收相应安全虚拟机发送的第一数据,并根据流表中指示的路由规则通过该安全虚拟机网桥组件中的第四端口发送第一数据,以将第一数据发送至下一个安全虚拟机网桥组件或第一虚拟机网桥。Among them, in the above-mentioned two implementation manners for FIGS. 3 and 4, for any secure virtual machine bridge component in the safety monitoring bridge module, when the secure virtual machine bridge component receives the first data through the third port At this time, the first data needs to be sent to the secure virtual machine connected to it. Specifically, as shown in FIG. 3 or FIG. 4, when the secure virtual machine bridge component receives the first data through the third port, the first data can be sent through the fifth port in the secure virtual machine bridge component, The first data is sent to the secure virtual machine corresponding to the secure virtual machine bridge component. After receiving the first data, the secure virtual machine may process the first data. And return the first data to the secure virtual machine bridge component. Wherein, as shown in Figure 3 or Figure 4, the secure virtual machine bridge component receives the first data sent by the corresponding secure virtual machine through the sixth port, and passes through the secure virtual machine bridge component according to the routing rules indicated in the flow table. The fourth port of the sender sends the first data to send the first data to the next secure virtual machine bridge component or the first virtual machine bridge.
步骤503:当虚拟交换机接收到安全服务节点发送的第一数据时,根据流表将第一数据发送至第二虚拟机。Step 503: When the virtual switch receives the first data sent by the security service node, it sends the first data to the second virtual machine according to the flow table.
在一种可能的实现方式中,如图2所示,步骤503具体可以为:安全监测网桥模块根据流表将安全服务节点发送的第一数据发送至第一虚拟机网桥;第一虚拟机网桥在接收到安全监测网桥模块发送的第一数据时,根据流表将第一数据发送至集成网桥;集成网桥在接收到第一数据时,根据流表将第一数据发送至第二虚拟机网桥,由第二虚拟机网桥根据流表将第一数据发送至第二虚拟机。In a possible implementation, as shown in FIG. 2, step 503 may specifically be: the security monitoring bridge module sends the first data sent by the security service node to the first virtual machine bridge according to the flow table; When the machine network bridge receives the first data sent by the safety monitoring bridge module, it sends the first data to the integrated network bridge according to the flow table; when the integrated network bridge receives the first data, it sends the first data according to the flow table To the second virtual machine bridge, the second virtual machine bridge sends the first data to the second virtual machine according to the flow table.
具体地,如图3所示,当安全服务节点包括第一安全虚拟机,安全监测网桥模块包括第一安全虚拟机网桥组件时,安全监测网桥模块根据流表将安全服务节点发送的第一数据发送至第一虚拟机网桥的实现方式可以为:当第一安全虚拟机网桥组件接收到第一安全虚拟机发送的第一数据时,第一安全虚拟机网桥组件通过第四端口发送第一数据;第一虚拟机网桥通过第二端口接收第一数据。Specifically, as shown in FIG. 3, when the security service node includes the first security virtual machine and the security monitoring bridge module includes the first security virtual machine bridge component, the security monitoring bridge module sends the security service node according to the flow table. The implementation of sending the first data to the first virtual machine bridge may be: when the first secure virtual machine bridge component receives the first data sent by the first secure virtual machine, the first secure virtual machine bridge component passes through the The four ports send the first data; the first virtual machine bridge receives the first data through the second port.
如4所示,当安全服务节点包括N个安全虚拟机,安全监测网桥模块包括N个安全虚拟机网桥组件时,安全监测网桥模块根据流表将安全服务节点发送的第一数据发送至第一虚拟机网桥的实现方式可以为:当排序后的最后一个安全虚拟机网桥组件接收到相应安全虚拟机发送的第一数据时,将第一数据通过第四端口发送;第一虚拟机网桥通过第二端口接收第一数据。As shown in 4, when the security service node includes N security virtual machines and the security monitoring bridge module includes N security virtual machine bridge components, the security monitoring bridge module sends the first data sent by the security service node according to the flow table The implementation of the bridge to the first virtual machine may be: when the last sorted secure virtual machine bridge component receives the first data sent by the corresponding secure virtual machine, the first data is sent through the fourth port; first The virtual machine bridge receives the first data through the second port.
另外,如图3或图4所示,第一虚拟机网桥在接收到安全监测网桥模块发送的第一数据时,根据流表将第一数据发送至集成网桥的实现方式可以为:第一虚拟机网桥在接收到安全监测网桥模块发送的第一数据时,第一虚拟机网桥通过第八端口发送第一数据;集成网桥通过第九端口接收第一数据。In addition, as shown in FIG. 3 or FIG. 4, when the first virtual machine bridge receives the first data sent by the safety monitoring bridge module, the implementation manner of sending the first data to the integrated bridge according to the flow table may be: When the first virtual machine bridge receives the first data sent by the security monitoring bridge module, the first virtual machine bridge sends the first data through the eighth port; the integrated network bridge receives the first data through the ninth port.
另外,如图3或图4所示,集成网桥在接收到第一数据时,根据流表将第一数据发送至第二虚拟机网桥,由第二虚拟机网桥根据流表将第一数据发送至第二虚拟机的实现方式可以为:集成网桥通过第十端口发送第一数据;第二虚拟机网桥通过第十一端口接收第一数据,并通过第十二端口发送第一数据,以将第一数据发送至第二虚拟机。In addition, as shown in Figure 3 or Figure 4, when the integrated bridge receives the first data, it sends the first data to the second virtual machine bridge according to the flow table, and the second virtual machine bridge sends the first data according to the flow table. One way of sending data to the second virtual machine can be: the integrated bridge sends the first data through the tenth port; the second virtual machine bridge receives the first data through the eleventh port, and sends the first data through the twelfth port. A data to send the first data to the second virtual machine.
图6是本申请实施例提供的另一种虚拟网络中的数据引流方法流程图,应用于图2至图4实施例所示的数据引流装置。如图6所示,该方法包括如下步骤:Fig. 6 is a flowchart of another method for data diversion in a virtual network provided by an embodiment of the present application, which is applied to the data diversion apparatus shown in the embodiments of Figs. 2 to 4. As shown in Figure 6, the method includes the following steps:
步骤601:虚拟交换机接收第二虚拟机针对第一数据发送的第二数据。Step 601: The virtual switch receives the second data sent by the second virtual machine for the first data.
如图2所示,由于虚拟机交换机包括第二虚拟机网桥。而第二虚拟机和第二虚拟机网桥连接。因此,在一种可能的实现方式中,步骤601具体可以为:第二虚拟机网桥接收第二虚拟机发送的第二数据。具体地,如图3或图4所示,第二虚拟机网桥的第十二端口接收第二数据。As shown in Figure 2, the virtual machine switch includes a second virtual machine bridge. The second virtual machine is connected to the second virtual machine by a bridge. Therefore, in a possible implementation manner, step 601 may specifically be: the second virtual machine bridge receives the second data sent by the second virtual machine. Specifically, as shown in FIG. 3 or FIG. 4, the twelfth port of the second virtual machine bridge receives the second data.
步骤602:虚拟交换机根据流表将第二数据转发至安全服务节点,以指示安全服务节点对第二数据进行处理。Step 602: The virtual switch forwards the second data to the security service node according to the flow table to instruct the security service node to process the second data.
如图2所示,虚拟交换机根据流表将第二数据转发至安全服务节点,以指示安全服务节点对第二数据进行处理的实现方式可以为:第二虚拟机网桥根据流表将第二数据发送至虚拟交换机中的集成网桥;集成网桥在接收到第二数据时,根据流表将第二数据发送至第一虚拟机网桥;第一虚拟机网桥在接收到集成网桥发送的第二数据时,根据流表将第二数据发送至安全监测网桥模块;安全监测网桥模块根据流表将接收到的第二数据转发给安全服务节点,以指示安全服务节点在对第二数据进行处理。As shown in Figure 2, the virtual switch forwards the second data to the security service node according to the flow table to instruct the security service node to process the second data. The implementation manner may be: the second virtual machine bridge transfers the second data according to the flow table. The data is sent to the integrated bridge in the virtual switch; when the integrated bridge receives the second data, it sends the second data to the first virtual machine bridge according to the flow table; the first virtual machine bridge receives the integrated bridge When the second data is sent, the second data is sent to the safety monitoring bridge module according to the flow table; the safety monitoring bridge module forwards the received second data to the safety service node according to the flow table to indicate that the safety service node is The second data is processed.
具体地,如图3所示,当安全服务节点包括第一安全虚拟机,安全监测网桥模块包括第一安全虚拟机网桥组件时,第一虚拟机网桥在接收到集成网桥发送的第二数据时,根据流表将第二数据发送至安全监测网桥模块的实现方式可以为:当第一虚拟机网桥在接收到集成网桥发送的第二数据时,第一虚拟机网桥通过第二端口发送第二数据;第一安全虚拟机网桥组件通过第四端口接收第二数据。Specifically, as shown in FIG. 3, when the security service node includes the first security virtual machine and the security monitoring bridge module includes the first security virtual machine bridge component, the first virtual machine bridge receives the information sent by the integrated bridge. For the second data, the implementation manner of sending the second data to the safety monitoring bridge module according to the flow table may be: when the first virtual machine bridge receives the second data sent by the integrated bridge, the first virtual machine network The bridge sends the second data through the second port; the first secure virtual machine bridge component receives the second data through the fourth port.
具体地,如图4所示,当安全服务节点包括N个安全虚拟机,安全监测网桥模块包括N个安全虚拟机网桥组件时,第一虚拟机网桥在接收到集成网桥发送的第二数据时,根据流表将第二数据发送至安全监测网桥模块的实现方式可以为:当第一虚拟机网桥接收到集成网桥发送的第二数据时,第一虚拟机网桥组件通过第二端口发送第二数据,N个安全虚拟机网桥组件按照参考顺序排序后的最后一个安全虚拟机网桥组件通过第四端口接收第二数据。Specifically, as shown in FIG. 4, when the security service node includes N secure virtual machines and the security monitoring bridge module includes N secure virtual machine bridge components, the first virtual machine bridge receives the information sent by the integrated bridge. In the case of the second data, the implementation of sending the second data to the safety monitoring bridge module according to the flow table may be: when the first virtual machine bridge receives the second data sent by the integrated bridge, the first virtual machine bridge The component sends the second data through the second port, and the last secure virtual machine bridge component sorted by the N secure virtual machine bridge components in the reference order receives the second data through the fourth port.
相应地,安全监测网桥模块根据流表将接收到的第二数据转发给安全服务节点,以指示安全服务节点在对第二数据进行处理的实现方式可以为:最后一个安全虚拟机网桥组件将第二数据发送至相应安全虚拟机,以指示相应安全虚拟机对第二数据进行处理,并将第二数据返回至最后一个安全虚拟机网桥组件,由最后一个安全虚拟机网桥组件将第二数据发送至排序后的倒数第二个安全虚拟机网桥组件;对于排序之后的第j个安全虚拟机网桥组件,第j个安全虚拟机网桥组件接收第j+1个安全虚拟机网桥组件发送的第二数据,并将第二数据发送至相应安全虚拟机,以指示相应安全虚拟机对第二数据进行处理,并将第二数据返回至第j个安全虚拟机网桥组件,j为大于等于1且小于等于N-1的正整数。Correspondingly, the security monitoring bridge module forwards the received second data to the security service node according to the flow table, so as to instruct the security service node to process the second data. The implementation manner may be: the last security virtual machine bridge component Send the second data to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the second data, and return the second data to the last secure virtual machine bridge component, and the last secure virtual machine bridge component will The second data is sent to the penultimate secure virtual machine bridge component after sorting; for the j-th secure virtual machine bridge component after sorting, the j-th secure virtual machine bridge component receives the j+1-th secure virtual machine The second data sent by the machine network bridge component and the second data is sent to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the second data and return the second data to the j-th secure virtual machine bridge Component, j is a positive integer greater than or equal to 1 and less than or equal to N-1.
步骤603:当虚拟交换机接收到安全服务节点发送的第二数据时,根据流表将第二数据发送至第一虚拟机。Step 603: When the virtual switch receives the second data sent by the security service node, it sends the second data to the first virtual machine according to the flow table.
如图2所示,步骤603具体可以为:安全监测网桥模块根据流表将安全服务节点发送的第二数据发送至第一虚拟机网桥;当第一虚拟机网桥接收到安全监测网桥模块发送的第二数据时,根据流表将第二数据发送至第一虚拟机。As shown in Figure 2, step 603 may specifically be: the security monitoring bridge module sends the second data sent by the security service node to the first virtual machine bridge according to the flow table; when the first virtual machine bridge receives the security monitoring network When the bridge module sends the second data, the second data is sent to the first virtual machine according to the flow table.
具体地,如图3所示,当安全服务节点包括第一安全虚拟机,安全监测网桥模块包括第一安全虚拟机网桥组件时,安全监测网桥模块根据流表将安全服务节点发送的第二 数据发送至第一虚拟机网桥的实现方式可以为:当第一安全虚拟机网桥组件接收到第一安全虚拟机发送的第二数据时,通过第一安全虚拟机网桥组件中的第三端口发送第二数据;第一虚拟机网桥通过第一端口接收第二数据。Specifically, as shown in FIG. 3, when the security service node includes the first security virtual machine and the security monitoring bridge module includes the first security virtual machine bridge component, the security monitoring bridge module sends the security service node according to the flow table. The second data sent to the first virtual machine bridge may be implemented as follows: when the first secure virtual machine bridge component receives the second data sent by the first secure virtual machine, through the first secure virtual machine bridge component The third port sends the second data; the first virtual machine bridge receives the second data through the first port.
如图4所示,当安全服务节点包括N个安全虚拟机,安全监测网桥模块包括N个安全虚拟机网桥组件时,安全监测网桥模块根据流表将安全服务节点发送的第二数据发送至第一虚拟机网桥的实现方式可以为:当排序后的第一个安全虚拟机网桥组件接收到相应安全虚拟机发送的第二数据时,将第二数据通过第三端口发送;第一虚拟机网桥通过第一端口接收第二数据。As shown in Figure 4, when the security service node includes N security virtual machines and the security monitoring bridge module includes N security virtual machine bridge components, the security monitoring bridge module sends the second data sent by the security service node according to the flow table The sending to the first virtual machine bridge may be implemented as follows: when the first sorted secure virtual machine bridge component receives the second data sent by the corresponding secure virtual machine, the second data is sent through the third port; The first virtual machine bridge receives the second data through the first port.
在图3或图4所示的数据引流装置中,对于安全监测网桥模块中任一安全虚拟机网桥组件,当该安全虚拟机网桥组件通过第四端口接收到第二数据时,通过该安全虚拟机网桥组件中的第六端口发送第二数据,以将第二数据发送至与该安全虚拟机网桥组件连接的安全虚拟机。当该安全虚拟机网桥组件通过第五端口接收接的安全虚拟机发送的第二数据,可以通过该安全虚拟机网桥组件中的第三端口发送第一数据。In the data diversion device shown in Figure 3 or Figure 4, for any secure virtual machine bridge component in the safety monitoring bridge module, when the secure virtual machine bridge component receives the second data through the fourth port, The sixth port in the secure virtual machine bridge component sends second data to send the second data to the secure virtual machine connected to the secure virtual machine bridge component. When the secure virtual machine bridge component receives the second data sent by the connected secure virtual machine through the fifth port, the first data can be sent through the third port in the secure virtual machine bridge component.
另外,如图3或图4所示,第二虚拟机网桥根据流表将第二数据发送至虚拟交换机中的集成网桥的实现方式可以为:第二虚拟机网桥通过第十一端口发送第二数据;集成网桥通过第十端口接收第二数据。In addition, as shown in FIG. 3 or FIG. 4, the second virtual machine bridge may send the second data to the integrated bridge in the virtual switch according to the flow table in an implementation manner: the second virtual machine bridge passes through the eleventh port Send the second data; the integrated bridge receives the second data through the tenth port.
如图3或图4所示,集成网桥在接收到第二数据时,根据流表将第二数据发送至虚拟交换机中的第一虚拟机网桥的实现方式可以为:集成网桥通过第九端口发送第二数据;第一虚拟机网桥通过第八端口接收第二数据。As shown in Figure 3 or Figure 4, when the integrated network bridge receives the second data, it sends the second data to the first virtual machine bridge in the virtual switch according to the flow table. The nine port sends the second data; the first virtual machine bridge receives the second data through the eighth port.
本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps in the foregoing embodiments can be implemented by hardware, or by a program instructing relevant hardware to be completed. The program can be stored in a computer-readable storage medium. The storage medium mentioned can be a read-only memory, a magnetic disk or an optical disk, etc.
以上所述为本申请提供的实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above-mentioned examples provided for this application are not intended to limit this application. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included in the protection scope of this application. Inside.

Claims (23)

  1. 一种虚拟网络中的数据引流装置,其特征在于,所述数据引流装置包括第一虚拟机、第二虚拟机、安全服务节点和虚拟交换机;A data diversion device in a virtual network, wherein the data diversion device includes a first virtual machine, a second virtual machine, a security service node, and a virtual switch;
    所述第一虚拟机、所述第二虚拟机、所述安全服务节点分别与所述虚拟交换机连接;The first virtual machine, the second virtual machine, and the security service node are respectively connected to the virtual switch;
    所述虚拟交换机用于根据流表将所述第一虚拟机和所述第二虚拟机之间传输的数据转发至所述安全服务节点,以指示所述安全服务节点对所述第一数据进行处理,所述流表用于指示所述虚拟交换机传输数据的路由规则。The virtual switch is configured to forward the data transmitted between the first virtual machine and the second virtual machine to the security service node according to the flow table, so as to instruct the security service node to perform processing on the first data Processing, the flow table is used to indicate a routing rule for the virtual switch to transmit data.
  2. 根据权利要求1所述的数据引流装置,其特征在于,所述虚拟交换机包括第一虚拟机网桥、第二虚拟机网桥、安全监测网桥模块和集成网桥;The data diversion device according to claim 1, wherein the virtual switch comprises a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integrated bridge;
    所述第一虚拟机和所述第一虚拟机网桥连接,所述第二虚拟机和所述第二虚拟机网桥连接,所述安全服务节点与所述安全监测网桥模块连接,所述第一虚拟机网桥、所述第二虚拟机网桥、所述安全监测网桥模块分别与所述集成网桥连接;The first virtual machine and the first virtual machine are connected by a bridge, the second virtual machine is connected with the second virtual machine by a bridge, and the security service node is connected with the security monitoring bridge module, so The first virtual machine network bridge, the second virtual machine network bridge, and the safety monitoring network bridge module are respectively connected to the integrated network bridge;
    所述第一虚拟机网桥和所述安全监测网桥模块上存在互为配对的一对或多对端口,互为配对的一对端口是指一个端口发出的数据由另一个端口接收、所述另一端口发送的数据由所述一个端口接收,所述流表用于指示在所述第一虚拟机网桥、所述第二虚拟机网桥、所述安全监测网桥模块和所述集成网桥中任一个的内部传递数据的路由规则。There are one or more pairs of ports that are paired with each other on the first virtual machine bridge and the security monitoring bridge module. A pair of ports that are paired with each other means that data sent by one port is received and received by another port. The data sent by the other port is received by the one port, and the flow table is used to indicate the connection between the first virtual machine bridge, the second virtual machine bridge, the safety monitoring bridge module, and the The routing rules for internal data transmission of any one of the integrated bridges.
  3. 根据权利要求2所述的数据引流装置,其特征在于,所述安全服务节点包括第一安全虚拟机,所述安全监测网桥模块包括第一安全虚拟机网桥组件,第一安全虚拟机和所述第一安全虚拟机网桥组件连接,所述第一虚拟机网桥包括第一端口和第二端口,所述第一安全虚拟机网桥组件包括第三端口和第四端口;The data diversion device according to claim 2, wherein the security service node includes a first security virtual machine, and the security monitoring bridge module includes a first security virtual machine bridge component, a first security virtual machine and The first secure virtual machine bridge component is connected, the first virtual machine bridge includes a first port and a second port, and the first secure virtual machine bridge component includes a third port and a fourth port;
    所述第一端口和所述第一安全虚拟机网桥组件上的第三端口是互为配对的一对端口,所述第二端口和所述第一安全虚拟机网桥组件上的第四端口是互为配对的一对端口。The first port and the third port on the first secure virtual machine bridge component are a pair of ports, and the second port and the fourth port on the first secure virtual machine bridge component are A port is a pair of ports that are paired with each other.
  4. 根据权利要求2所述的数据引流装置,其特征在于,所述安全服务节点包括N个安全虚拟机,所述安全监测网桥模块包括N个安全虚拟机网桥组件,所述N个安全虚拟机和所述N个安全虚拟机网桥组件一一对应,所述N个安全虚拟机网桥组件按照参考顺序排序之后每相邻的两个安全虚拟机网桥组件上存在互为配对的一对端口,所述N为大于或等于2的正整数,所述第一虚拟机网桥包括第一端口和第二端口,每个安全虚拟机网桥组件包括第三端口和第四端口;The data diversion device according to claim 2, wherein the security service node includes N security virtual machines, the security monitoring bridge module includes N security virtual machine bridge components, and the N security virtual machines There is a one-to-one correspondence between the N secure virtual machine bridge components and the N secure virtual machine bridge components. After the N secure virtual machine bridge components are sorted in a reference order, there is a pair of mutually paired two adjacent secure virtual machine bridge components. For ports, the N is a positive integer greater than or equal to 2, the first virtual machine bridge includes a first port and a second port, and each secure virtual machine bridge component includes a third port and a fourth port;
    所述第一端口和排序之后的第一个安全虚拟机网桥组件上的第三端口是互为配对的一对端口,所述第二端口和排序之后的最后一个安全虚拟机网桥组件上的第四端口是互为配对的一对端口。The first port and the third port on the first secure virtual machine bridge component after sorting are a pair of ports that are paired with each other, and the second port is on the last secure virtual machine bridge component after sorting. The fourth port is a pair of ports that are paired with each other.
  5. 根据权利要求4所述的数据引流装置,其特征在于,对于排序之后的第i个安全虚拟机网桥组件,所述第i个安全虚拟机网桥组件上的第三端口与第i-1个安全虚拟机网桥组件的第四端口是互为配对的一对端口,所述i为大于等于2且小于等于N的正整数。The data diversion device according to claim 4, wherein for the i-th secure virtual machine bridge component after sorting, the third port on the i-th secure virtual machine bridge component and the i-1th The fourth port of each secure virtual machine bridge component is a pair of ports that are paired with each other, and the i is a positive integer greater than or equal to 2 and less than or equal to N.
  6. 根据权利要求3至5任一所述的数据引流装置,其特征在于,任一安全虚拟机网桥组件上还包括第五端口和第六端口,任一安全虚拟机网桥组件上的第五端口和第六端口用于连接一个安全虚拟机;The data diversion device according to any one of claims 3 to 5, wherein any secure virtual machine bridge component further comprises a fifth port and a sixth port, and the fifth port on any secure virtual machine bridge component The port and the sixth port are used to connect to a secure virtual machine;
    所述流表用于指示任一安全虚拟机网桥组件上第三端口发送的数据由位于同一安全虚拟机网桥组件的第五端口发送出去,任一安全虚拟机网桥组件上第五端口发送的数据由位于同一安全虚拟机网桥组件的第三端口发送出去;The flow table is used to indicate that the data sent by the third port on any secure virtual machine bridge component is sent from the fifth port on the same secure virtual machine bridge component, and the fifth port on any secure virtual machine bridge component The sent data is sent out by the third port located in the same secure virtual machine bridge component;
    所述流表还用于指示任一安全虚拟机网桥组件上第六端口发送的数据由位于同一安全虚拟机网桥组件的第四端口发送出去,任一安全虚拟机网桥组件上第四端口发送的数据由位于同一安全虚拟机网桥组件的第六端口发送出去。The flow table is also used to indicate that the data sent by the sixth port on any secure virtual machine bridge component is sent from the fourth port on the same secure virtual machine bridge component, and the fourth port on any secure virtual machine bridge component The data sent by the port is sent out on the sixth port of the bridge component of the same secure virtual machine.
  7. 根据权利要求3至6任一所述的数据引流装置,其特征在于,所述第一虚拟机网桥中还包括第七端口,所述第七端口和所述第一虚拟机连接,所述流表用于指示所述第七端口接收到的数据由所述第一端口发送出去,所述第一端口接收到的数据由所述第七端口发送出去。The data diversion device according to any one of claims 3 to 6, wherein the first virtual machine bridge further comprises a seventh port, the seventh port is connected to the first virtual machine, and the The flow table is used to indicate that the data received by the seventh port is sent by the first port, and the data received by the first port is sent by the seventh port.
  8. 根据权利要求3至7任一所述的数据引流装置,其特征在于,所述第一虚拟机网桥中还包括第八端口、所述集成网桥中包括第九端口,所述第八端口和所述第九端口连接;The data diversion device according to any one of claims 3 to 7, wherein the first virtual machine bridge further includes an eighth port, the integrated network bridge includes a ninth port, and the eighth port Connected to the ninth port;
    所述流表还用于指示所述第二端口接收到的数据由所述第八端口发送出去,所述第八端口接收到的数据由所述第九端口发送出去。The flow table is also used to indicate that the data received by the second port is sent by the eighth port, and the data received by the eighth port is sent by the ninth port.
  9. 根据权利要求8所述的数据引流装置,其特征在于,所述集成网桥还包括第十端口,所述第二虚拟机网桥还包括第十一端口和第十二端口,所述第十端口和所述第十一端口连接,所述第十二端口与所述第二虚拟机连接;The data diversion device according to claim 8, wherein the integrated network bridge further comprises a tenth port, the second virtual machine network bridge further comprises an eleventh port and a twelfth port, and the tenth port The port is connected to the eleventh port, and the twelfth port is connected to the second virtual machine;
    所述流表还用于指示所述第九端口接收到的数据由所述第十端口发送出去,所述第十端口接收到的数据由所述第九端口发送出去;The flow table is also used to indicate that the data received by the ninth port is sent by the tenth port, and the data received by the tenth port is sent by the ninth port;
    所述流表还用于指示所述第十一端口接收到的数据由所述第十二端口发送出去,所述第十二端口接收到的数据由所述第十一端口发送出去。The flow table is also used to indicate that the data received by the eleventh port is sent by the twelfth port, and the data received by the twelfth port is sent by the eleventh port.
  10. 根据权利要求3至9任一所述的数据引流装置,其特征在于,任一安全虚拟机网桥组件包括第一安全虚拟机网桥和第二安全虚拟机网桥;The data diversion device according to any one of claims 3 to 9, wherein any secure virtual machine network bridge component includes a first secure virtual machine network bridge and a second secure virtual machine network bridge;
    所述第一安全虚拟机网桥上部署有所述第三端口和所述第五端口,所述第二安全虚拟机网桥上部署有所述第四端口和所述第六端口。The third port and the fifth port are deployed on the first secure virtual machine bridge, and the fourth port and the sixth port are deployed on the second secure virtual machine bridge.
  11. 根据权利要求1至10任一所述的数据引流装置,其特征在于,所述虚拟交换机是由软件定义网络SDN控制器创建的,所述流表由所述SDN控制器下发至所述虚拟交换机。The data diversion device according to any one of claims 1 to 10, wherein the virtual switch is created by a software-defined network SDN controller, and the flow table is issued by the SDN controller to the virtual switch. switch.
  12. 一种虚拟网络中的数据引流方法,其特征在于,应用于权利要求1至11任一 所述的数据引流装置,所述方法包括:A data diversion method in a virtual network, characterized in that it is applied to the data diversion device according to any one of claims 1 to 11, and the method comprises:
    所述虚拟交换机接收所述第一虚拟机发送的第一数据;Receiving, by the virtual switch, the first data sent by the first virtual machine;
    所述虚拟交换机根据流表将所述第一数据转发至所述安全服务节点,以指示所述安全服务节点对所述第一数据进行处理,所述流表用于指示所述虚拟交换机传输数据的路由规则;The virtual switch forwards the first data to the security service node according to a flow table to instruct the security service node to process the first data, and the flow table is used to instruct the virtual switch to transmit data Routing rules;
    当所述虚拟交换机接收到所述安全服务节点发送的第一数据时,根据所述流表将所述第一数据发送至所述第二虚拟机。When the virtual switch receives the first data sent by the security service node, it sends the first data to the second virtual machine according to the flow table.
  13. 根据权利要求12所述的方法,其特征在于,所述虚拟交换机包括第一虚拟机网桥、第二虚拟机网桥、安全监测网桥模块和集成网桥;The method according to claim 12, wherein the virtual switch comprises a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integrated bridge;
    所述虚拟交换机接收所述第一虚拟机发送的第一数据,包括:The receiving, by the virtual switch, the first data sent by the first virtual machine includes:
    所述第一虚拟机网桥接收所述第一虚拟机发送的第一数据;Receiving, by the first virtual machine bridge, the first data sent by the first virtual machine;
    相应地,所述虚拟交换机根据流表将所述第一数据转发至所述安全服务节点,以指示所述安全服务节点对所述第一数据进行处理,包括:Correspondingly, the virtual switch forwarding the first data to the security service node according to the flow table to instruct the security service node to process the first data includes:
    所述第一虚拟机网桥根据所述流表将所述第一数据发送至所述安全监测网桥模块;Sending, by the first virtual machine bridge, the first data to the safety monitoring bridge module according to the flow table;
    所述安全监测网桥模块根据所述流表将接收到的第一数据转发给所述安全服务节点,以指示所述安全服务节点对所述第一数据进行处理;The security monitoring bridge module forwards the received first data to the security service node according to the flow table, so as to instruct the security service node to process the first data;
    相应地,所述当所述虚拟交换机接收到所述安全服务节点发送的第一数据时,根据所述流表将所述第一数据发送至所述第二虚拟机,包括:Correspondingly, when the virtual switch receives the first data sent by the security service node, sending the first data to the second virtual machine according to the flow table includes:
    所述安全监测网桥模块根据所述流表将所述安全服务节点发送的第一数据发送至所述第一虚拟机网桥;The security monitoring bridge module sends the first data sent by the security service node to the first virtual machine bridge according to the flow table;
    所述第一虚拟机网桥在接收到所述安全监测网桥模块发送的第一数据时,根据所述流表将所述第一数据发送至所述集成网桥;When the first virtual machine network bridge receives the first data sent by the safety monitoring network bridge module, sending the first data to the integrated network bridge according to the flow table;
    所述集成网桥在接收到所述第一数据时,根据所述流表将所述第一数据发送至所述第二虚拟机网桥,由所述第二虚拟机网桥根据所述流表将所述第一数据发送至所述第二虚拟机。When the integrated network bridge receives the first data, it sends the first data to the second virtual machine bridge according to the flow table, and the second virtual machine bridge sends the first data according to the flow table. The table sends the first data to the second virtual machine.
  14. 根据权利要求13所述的方法,其特征在于,所述安全服务节点包括第一安全虚拟机,所述安全监测网桥模块包括第一安全虚拟机网桥组件;The method according to claim 13, wherein the security service node includes a first security virtual machine, and the security monitoring bridge module includes a first security virtual machine bridge component;
    所述第一虚拟机网桥根据所述流表将所述第一数据发送至所述安全监测网桥模块,包括:The first virtual machine bridge sending the first data to the safety monitoring bridge module according to the flow table includes:
    当所述第一虚拟机网桥接收到所述第一虚拟机发送的第一数据时,所述第一虚拟机网桥通过第一端口发送所述第一数据;When the first virtual machine bridge receives the first data sent by the first virtual machine, the first virtual machine bridge sends the first data through the first port;
    相应地,所述安全监测网桥模块根据所述流表将接收到的第一数据转发给所述安全服务节点,用于指示所述安全服务节点对所述第一数据进行处理,包括:Correspondingly, the security monitoring bridge module forwards the received first data to the security service node according to the flow table, for instructing the security service node to process the first data, including:
    所述第一安全虚拟机网桥组件通过第三端口接收所述第一数据,并将所述第一数据发送至所述第一安全虚拟机,所述第一端口和所述第一安全虚拟机网桥组件上的第三端口是互为配对的一对端口。The first secure virtual machine bridge component receives the first data through a third port, and sends the first data to the first secure virtual machine. The first port and the first secure virtual machine The third port on the machine bridge component is a pair of ports that are paired with each other.
  15. 根据权利要求14所述的方法,其特征在于,所述安全监测网桥模块根据所述 流表将所述安全服务节点发送的第一数据发送至所述第一虚拟机网桥,包括:The method according to claim 14, wherein the security monitoring bridge module sending the first data sent by the security service node to the first virtual machine bridge according to the flow table comprises:
    当所述第一安全虚拟机网桥组件接收到所述第一安全虚拟机发送的第一数据时,所述第一安全虚拟机网桥组件通过第四端口发送所述第一数据;When the first secure virtual machine bridge component receives the first data sent by the first secure virtual machine, the first secure virtual machine bridge component sends the first data through a fourth port;
    所述第一虚拟机网桥通过所述第二端口接收所述第一数据,所述第二端口和所述第一安全虚拟机网桥组件上的第四端口是互为配对的一对端口。The first virtual machine bridge receives the first data through the second port, and the second port and the fourth port on the first secure virtual machine bridge component are a pair of ports that are paired with each other .
  16. 根据权利要求13所述的方法,其特征在于,所述安全服务节点包括N个安全虚拟机,所述安全监测网桥模块包括N个安全虚拟机网桥组件,所述N个安全虚拟机和所述N个安全虚拟机网桥组件之间一一对应,所述N为大于或等于2的正整数;The method according to claim 13, wherein the security service node includes N security virtual machines, the security monitoring bridge module includes N security virtual machine bridge components, and the N security virtual machines and There is a one-to-one correspondence between the N security virtual machine bridge components, and the N is a positive integer greater than or equal to 2;
    所述第一虚拟机网桥根据所述流表将所述第一数据发送至所述安全监测网桥模块,包括:The first virtual machine bridge sending the first data to the safety monitoring bridge module according to the flow table includes:
    当所述第一虚拟机网桥接收到所述第一虚拟机发送的第一数据时,所述第一虚拟机网桥组件通过第一端口发送所述第一数据,所述N个安全虚拟机网桥组件按照参考顺序排序后的第一个安全虚拟机网桥组件通过第三端口接收所述第一数据,所述第一端口和排序之后的第一个安全虚拟机网桥组件上的第三端口是互为配对的一对端口;When the first virtual machine bridge receives the first data sent by the first virtual machine, the first virtual machine bridge component sends the first data through the first port, and the N secure virtual machines The first secure virtual machine bridge component sorted by the machine network bridge component according to the reference order receives the first data through the third port, and the first port and the first secure virtual machine network bridge component sorted The third port is a pair of ports that are paired with each other;
    相应地,所述安全监测网桥模块根据所述流表将接收到的第一数据转发给所述安全服务节点,以指示所述安全服务节点对所述第一数据进行处理,包括:Correspondingly, the safety monitoring bridge module forwarding the received first data to the safety service node according to the flow table to instruct the safety service node to process the first data includes:
    所述第一个安全虚拟机网桥组件将所述第一数据发送至相应安全虚拟机,以指示相应安全虚拟机对所述第一数据进行处理,所述第一个安全虚拟机网桥组件接收相应安全虚拟机发送的第一数据,由所述第一个安全虚拟机网桥组件将所述第一数据发送至第二个安全虚拟机;The first secure virtual machine bridge component sends the first data to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the first data, and the first secure virtual machine bridge component Receiving the first data sent by the corresponding secure virtual machine, and sending the first data to the second secure virtual machine by the first secure virtual machine bridge component;
    对于排序之后的第i个安全虚拟机网桥组件,所述第i个安全虚拟机网桥组件接收第i-1个安全虚拟机网桥组件发送的第一数据,并将所述第一数据发送至相应安全虚拟机,以指示相应安全虚拟机对所述第一数据进行处理,并将所述第一数据返回至所述第i个安全虚拟机网桥组件,所述i为大于等于2且小于等于N的正整数,所述N个安全虚拟机网桥组件按照参考顺序排序之后每相邻的两个安全虚拟机网桥组件上存在互为配对的一对端口。For the i-th secure virtual machine bridge component after sorting, the i-th secure virtual machine bridge component receives the first data sent by the i-1th secure virtual machine bridge component, and combines the first data Sent to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the first data and return the first data to the i-th secure virtual machine bridge component, where i is greater than or equal to 2 And a positive integer less than or equal to N, after the N secure virtual machine bridge components are sorted in a reference order, there is a pair of ports that are paired with each other on every two adjacent secure virtual machine bridge components.
  17. 根据权利要求16所述的方法,其特征在于,所述安全监测网桥模块根据所述流表将所述安全服务节点发送的第一数据发送至所述第一虚拟机网桥,包括:The method according to claim 16, wherein the security monitoring bridge module sending the first data sent by the security service node to the first virtual machine bridge according to the flow table comprises:
    当排序后的最后一个安全虚拟机网桥组件接收到相应安全虚拟机发送的所述第一数据时,将所述第一数据通过第四端口发送;When the last sorted secure virtual machine bridge component receives the first data sent by the corresponding secure virtual machine, sending the first data through the fourth port;
    所述第一虚拟机网桥通过第二端口接收所述第一数据,所述第二端口和排序之后的最后一个安全虚拟机网桥组件上的第四端口是互为配对的一对端口。The first virtual machine bridge receives the first data through a second port, and the second port and the fourth port on the last secured virtual machine bridge component after sorting are a pair of ports that are paired with each other.
  18. 根据权利要求12至17任一所述的方法,其特征在于,所述方法,还包括:The method according to any one of claims 12 to 17, wherein the method further comprises:
    虚拟交换机接收第二虚拟机针对所述第一数据发送的第二数据;The virtual switch receives the second data sent by the second virtual machine for the first data;
    所述虚拟交换机根据所述流表将所述第二数据转发至安全服务节点,以指示所述安全服务节点对所述第二数据进行处理;The virtual switch forwards the second data to a security service node according to the flow table, so as to instruct the security service node to process the second data;
    当所述虚拟交换机接收到所述安全服务节点发送的第二数据时,根据所述流表将所 述第二数据发送至所述第一虚拟机。When the virtual switch receives the second data sent by the security service node, it sends the second data to the first virtual machine according to the flow table.
  19. 根据权利要求18所述的方法,其特征在于,所述虚拟交换机包括第一虚拟机网桥、第二虚拟机网桥、安全监测网桥模块和集成网桥;The method according to claim 18, wherein the virtual switch comprises a first virtual machine bridge, a second virtual machine bridge, a security monitoring bridge module, and an integrated bridge;
    所述虚拟交换机接收第二虚拟机针对所述第一数据发送的第二数据,包括:The receiving, by the virtual switch, the second data sent by the second virtual machine for the first data includes:
    所述第二虚拟机网桥接收所述第二虚拟机发送的第二数据;Receiving, by the second virtual machine bridge, second data sent by the second virtual machine;
    相应地,所述虚拟交换机根据所述流表将所述第二数据转发至安全服务节点,以指示所述安全服务节点对所述第二数据进行处理,包括:Correspondingly, the virtual switch forwarding the second data to the security service node according to the flow table to instruct the security service node to process the second data includes:
    所述第二虚拟机网桥根据所述流表将所述第二数据发送至所述虚拟交换机中的集成网桥;Sending, by the second virtual machine bridge, the second data to the integrated bridge in the virtual switch according to the flow table;
    所述集成网桥在接收到所述第二数据时,根据所述流表将所述第二数据发送至所述第一虚拟机网桥;When receiving the second data, the integrated network bridge sends the second data to the first virtual machine network bridge according to the flow table;
    所述第一虚拟机网桥在接收到所述集成网桥发送的所述第二数据时,根据所述流表将所述第二数据发送至所述安全监测网桥模块;When the first virtual machine network bridge receives the second data sent by the integrated network bridge, sending the second data to the safety monitoring network bridge module according to the flow table;
    所述安全监测网桥模块根据所述流表将接收到的第二数据转发给所述安全服务节点,以指示所述安全服务节点在对所述第二数据进行处理;The security monitoring bridge module forwards the received second data to the security service node according to the flow table, so as to indicate that the security service node is processing the second data;
    相应地,当所述虚拟交换机接收到所述安全服务节点发送的第二数据时,根据所述流表将所述第二数据发送至所述第一虚拟机,包括:Correspondingly, when the virtual switch receives the second data sent by the security service node, sending the second data to the first virtual machine according to the flow table includes:
    所述安全监测网桥模块根据所述流表将所述安全服务节点发送的第二数据发送至所述第一虚拟机网桥;The security monitoring bridge module sends the second data sent by the security service node to the first virtual machine bridge according to the flow table;
    当所述第一虚拟机网桥接收到所述安全监测网桥模块发送的所述第二数据时,根据所述流表将所述第二数据发送至所述第一虚拟机。When the first virtual machine bridge receives the second data sent by the safety monitoring bridge module, the second data is sent to the first virtual machine according to the flow table.
  20. 根据权利要求19所述的方法,其特征在于,所述安全服务节点包括第一安全虚拟机,所述安全监测网桥模块包括第一安全虚拟机网桥组件;The method according to claim 19, wherein the security service node comprises a first security virtual machine, and the security monitoring bridge module comprises a first security virtual machine bridge component;
    所述第一虚拟机网桥在接收到所述集成网桥发送的所述第二数据时,根据所述流表将所述第二数据发送至所述安全监测网桥模块,包括:When the first virtual machine network bridge receives the second data sent by the integrated network bridge, sending the second data to the safety monitoring network bridge module according to the flow table includes:
    当所述第一虚拟机网桥在接收到所述集成网桥发送的所述第二数据时,所述第一虚拟机网桥通过第二端口发送所述第二数据;When the first virtual machine network bridge receives the second data sent by the integrated network bridge, the first virtual machine network bridge sends the second data through a second port;
    所述第一安全虚拟机网桥组件通过第四端口接收所述第二数据,所述第二端口和所述第一安全虚拟机网桥组件上的第四端口是互为配对的一对端口。The first secure virtual machine bridge component receives the second data through a fourth port, and the second port and the fourth port on the first secure virtual machine bridge component are a pair of ports that are paired with each other .
  21. 根据权利要求20所述的方法,其特征在于,所述安全监测网桥模块根据所述流表将所述安全服务节点发送的第二数据发送至所述第一虚拟机网桥,包括:The method according to claim 20, wherein the security monitoring bridge module sending the second data sent by the security service node to the first virtual machine bridge according to the flow table comprises:
    当所述第一安全虚拟机网桥组件接收到所述第一安全虚拟机发送的所述第二数据时,通过所述第一安全虚拟机网桥组件中的第三端口发送所述第二数据;When the first secure virtual machine bridge component receives the second data sent by the first secure virtual machine, it sends the second data through the third port in the first secure virtual machine bridge component. data;
    所述第一虚拟机网桥通过所述第一端口接收所述第二数据。The first virtual machine bridge receives the second data through the first port.
  22. 根据权利要求19所述的方法,其特征在于,所述安全服务节点包括N个安全虚拟机,所述安全监测网桥模块包括N个安全虚拟机网桥组件,所述N个安全虚拟机和 所述N个安全虚拟机网桥组件之间一一对应,所述N为大于或等于2的正整数;The method according to claim 19, wherein the security service node includes N security virtual machines, the security monitoring bridge module includes N security virtual machine bridge components, the N security virtual machines and There is a one-to-one correspondence between the N security virtual machine bridge components, and the N is a positive integer greater than or equal to 2;
    所述第一虚拟机网桥在接收到所述集成网桥发送的所述第二数据时,根据所述流表将所述第二数据发送至所述安全监测网桥模块,包括:When the first virtual machine network bridge receives the second data sent by the integrated network bridge, sending the second data to the safety monitoring network bridge module according to the flow table includes:
    当所述第一虚拟机网桥接收到所述集成网桥发送的所述第二数据时,所述第一虚拟机网桥组件通过第二端口发送所述第二数据,所述N个安全虚拟机网桥组件按照参考顺序排序后的最后一个安全虚拟机网桥组件通过第四端口接收所述第二数据,所述第二端口和排序之后的最后一个安全虚拟机网桥组件上的第四端口是互为配对的一对端口;When the first virtual machine bridge receives the second data sent by the integrated bridge, the first virtual machine bridge component sends the second data through the second port, and the N security The last secure virtual machine bridge component sorted by the virtual machine bridge component according to the reference order receives the second data through the fourth port, and the second port and the second port on the last secure virtual machine bridge component sorted The four ports are a pair of ports paired with each other;
    相应地,所述安全监测网桥模块根据所述流表将接收到的第二数据转发给所述安全服务节点,以指示所述安全服务节点在对所述第二数据进行处理,包括:Correspondingly, the security monitoring bridge module forwards the received second data to the security service node according to the flow table to instruct the security service node to process the second data, including:
    所述最后一个安全虚拟机网桥组件将所述第二数据发送至相应安全虚拟机,以指示相应安全虚拟机对所述第二数据进行处理,并将所述第二数据返回至所述最后一个安全虚拟机网桥组件,由所述最后一个安全虚拟机网桥组件将所述第二数据发送至排序后的倒数第二个安全虚拟机网桥组件;The last secure virtual machine bridge component sends the second data to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the second data, and return the second data to the last A secure virtual machine bridge component, and the last secure virtual machine bridge component sends the second data to the second last secure virtual machine bridge component after sorting;
    对于排序之后的第j个安全虚拟机网桥组件,所述第j个安全虚拟机网桥组件接收第j+1个安全虚拟机网桥组件发送的第二数据,并将所述第二数据发送至相应安全虚拟机,以指示相应安全虚拟机对所述第二数据进行处理,并将所述第二数据返回至所述第j个安全虚拟机网桥组件,所述j为大于等于1且小于等于N-1的正整数,所述N个安全虚拟机网桥组件按照参考顺序排序之后每相邻的两个安全虚拟机网桥组件上存在互为配对的一对端口。For the j-th secure virtual machine bridge component after sorting, the j-th secure virtual machine bridge component receives the second data sent by the j+1-th secure virtual machine bridge component, and combines the second data Sent to the corresponding secure virtual machine to instruct the corresponding secure virtual machine to process the second data and return the second data to the j-th secure virtual machine bridge component, where j is greater than or equal to 1 And a positive integer less than or equal to N-1, after the N secure virtual machine bridge components are sorted according to a reference order, there is a pair of ports that are paired with each other on every two adjacent secure virtual machine bridge components.
  23. 根据权利要求22所述的方法,其特征在于,所述安全监测网桥模块根据所述流表将所述安全服务节点发送的第二数据发送至所述第一虚拟机网桥,包括:The method according to claim 22, wherein the security monitoring bridge module sending the second data sent by the security service node to the first virtual machine bridge according to the flow table comprises:
    当排序后的第一个安全虚拟机网桥组件接收到相应安全虚拟机发送的所述第二数据时,将所述第二数据通过第三端口发送;When the first sorted secure virtual machine bridge component receives the second data sent by the corresponding secure virtual machine, sending the second data through the third port;
    所述第一虚拟机网桥通过第一端口接收所述第二数据,所述第一端口和排序之后的第一个安全虚拟机网桥组件上的第三端口是互为配对的一对端口。The first virtual machine bridge receives the second data through a first port, and the first port and the third port on the first secure virtual machine bridge component after sorting are a pair of ports that are paired with each other .
PCT/CN2020/084347 2019-04-28 2020-04-11 Data flow guiding apparatus and data flow guiding method in virtual network WO2020220977A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910351096.9 2019-04-28
CN201910351096.9A CN110213181B (en) 2019-04-28 2019-04-28 Data stream guiding device and data stream guiding method in virtual network

Publications (1)

Publication Number Publication Date
WO2020220977A1 true WO2020220977A1 (en) 2020-11-05

Family

ID=67786559

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/084347 WO2020220977A1 (en) 2019-04-28 2020-04-11 Data flow guiding apparatus and data flow guiding method in virtual network

Country Status (2)

Country Link
CN (1) CN110213181B (en)
WO (1) WO2020220977A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110213181B (en) * 2019-04-28 2021-01-29 华为技术有限公司 Data stream guiding device and data stream guiding method in virtual network

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140189152A1 (en) * 2012-12-27 2014-07-03 Deep River Ventures, Llc Methods, Systems, and Computer Program Products for Identifying a Protocol Address based on Path Information
WO2015176682A1 (en) * 2014-05-22 2015-11-26 Hangzhou H3C Technologies Co., Ltd. Forwarding a packet
US20160036732A1 (en) * 2014-08-04 2016-02-04 Futurewei Technologies, Inc. System and Method for Network Protocol Offloading in Virtual Networks
CN105530259A (en) * 2015-12-22 2016-04-27 华为技术有限公司 Message filtering method and equipment
CN106789542A (en) * 2017-03-03 2017-05-31 清华大学 A kind of implementation method of cloud data center security service chain
CN108471383A (en) * 2018-02-08 2018-08-31 华为技术有限公司 Message forwarding method, device and system
CN110213181A (en) * 2019-04-28 2019-09-06 华为技术有限公司 Data drainage device and data drainage method in virtual network

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9660903B2 (en) * 2015-02-10 2017-05-23 Alcatel Lucent Method and system for inserting an openflow flow entry into a flow table using openflow protocol
CN107645472A (en) * 2016-07-21 2018-01-30 由国峰 A kind of virtual machine traffic detecting system based on OpenFlow
CN107872443A (en) * 2016-09-28 2018-04-03 深圳市深信服电子科技有限公司 Virtual network security protection system, flow lead method and device
US10778722B2 (en) * 2016-11-08 2020-09-15 Massachusetts Institute Of Technology Dynamic flow system
CN207530616U (en) * 2017-09-05 2018-06-22 全球能源互联网研究院有限公司 A kind of substation's station communication drainage system based on SDN
CN108833305B (en) * 2018-07-17 2024-04-05 北京西普阳光科技股份有限公司 Virtual network device of host
CN109639551B (en) * 2018-11-15 2020-11-03 北京六方云信息技术有限公司 Virtualization drainage device and method
CN109547437B (en) * 2018-11-23 2021-05-25 奇安信科技集团股份有限公司 Drainage processing method and device for safe resource pool
CN109587063B (en) * 2018-12-29 2021-08-31 奇安信科技集团股份有限公司 Data drainage method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140189152A1 (en) * 2012-12-27 2014-07-03 Deep River Ventures, Llc Methods, Systems, and Computer Program Products for Identifying a Protocol Address based on Path Information
WO2015176682A1 (en) * 2014-05-22 2015-11-26 Hangzhou H3C Technologies Co., Ltd. Forwarding a packet
US20160036732A1 (en) * 2014-08-04 2016-02-04 Futurewei Technologies, Inc. System and Method for Network Protocol Offloading in Virtual Networks
CN105530259A (en) * 2015-12-22 2016-04-27 华为技术有限公司 Message filtering method and equipment
CN106789542A (en) * 2017-03-03 2017-05-31 清华大学 A kind of implementation method of cloud data center security service chain
CN108471383A (en) * 2018-02-08 2018-08-31 华为技术有限公司 Message forwarding method, device and system
CN110213181A (en) * 2019-04-28 2019-09-06 华为技术有限公司 Data drainage device and data drainage method in virtual network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SHAO, GUOLIN ET AL.: "OpenFlow (Design and implementation of virtual machine traffic detection system based on OpenFlow", JOURNAL OF COMPUTER APPLICATIONS, 10 April 2014 (2014-04-10), pages 1034 - 1037, ISSN: 1001-9081 *

Also Published As

Publication number Publication date
CN110213181B (en) 2021-01-29
CN110213181A (en) 2019-09-06

Similar Documents

Publication Publication Date Title
US11683386B2 (en) Systems and methods for protecting an identity in network communications
US11893409B2 (en) Securing a managed forwarding element that operates within a data compute node
US11929945B2 (en) Managing network traffic in virtual switches based on logical port identifiers
US10237230B2 (en) Method and system for inspecting network traffic between end points of a zone
US10397108B2 (en) Service function chaining across multiple subnetworks
US8571408B2 (en) Hardware accelerated data frame forwarding
US10805390B2 (en) Automated mirroring and remote switch port analyzer (RSPAN) functions using fabric attach (FA) signaling
US20150049765A1 (en) Network Relay System and Switching Device
TW201933837A (en) Method and system for extracting in-tunnel flow data over a virtual network
US20200007472A1 (en) Service insertion in basic virtual network environment
WO2015167597A1 (en) Data plane to forward traffic based on communications from a software defined networking (sdn) controller during control plane failure
US10050859B2 (en) Apparatus for processing network packet using service function chaining and method for controlling the same
CN109995639B (en) Data transmission method, device, switch and storage medium
KR101290963B1 (en) System and method for separating network based virtual environment
US10075522B2 (en) Automated mirroring and remote switch port analyzer (RSPAN)/ encapsulated remote switch port analyzer (ERSPAN) functions using fabric attach (FA) signaling
WO2020220977A1 (en) Data flow guiding apparatus and data flow guiding method in virtual network
US10020961B2 (en) Method and apparatus for network virtualization
US20200162562A1 (en) Service function chain (sfc) based multi-tenancy processing method
KR20170135345A (en) Method, apparatus and computer program for service fuction chainnig using software defined networking
KR20180061896A (en) Method, apparatus and computer program for service function chaining
US11646995B2 (en) Partitioned intrusion detection
CN112367258B (en) Method for realizing service chain function based on Openstack architecture
US20240061796A1 (en) Multi-tenant aware data processing units
US11676045B2 (en) Network node with reconfigurable rule-based routing
Maia An SDN-based Overlay Networking Solution for Transparent Multi-homed Vehicular Communications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20798937

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20798937

Country of ref document: EP

Kind code of ref document: A1